I'm running lineageOS, and I had to root the phone to make one banking app work (and Netflix and some games.)
It actually passes SafetyNet out of the box, but there's a CTS profile check that some apps do in addition to SafetyNet, and I had to root the phone to make it provide a profile that those apps are happy with. And then I had to install a SafetyNet bypass, because fixing the CTS profile broke SafetyNet.
It un-roots itself every time I install an update, which is kind of a pain in the ass, but someone wrote a script to re-root lineageOS (from a desktop computer), so it's not too bad these days.
Would you mind saying what phone you have, and which script? I'm using a (by now rather old) OnePlus 5 and potentially in the market for an upgrade -- and easy rootability is more my key feature than bling or a 50 megapixel camera....
Overall I'm really happy with my g100. The bootloader was easy to unlock, it has a headphones jack, a microSD slot, the battery lasts 2-3 days, and the performance, screen, and cameras are all good enough that I don't think about it.
The only things that I don't like are that the physical size is a larger than I would prefer, and it's not waterproof. Additionally, the single down-firing speaker is kind of lame when compared to my previous phones stereo front-firing speakers above and below the screen. I'd much rather have a bit of bezel if it meant I could have stereo front-firing speakers (and no camera hole punches!)
Oh, and I had to use a different phone to activate the SIM card to make it work on Verizon, because even though the phone is actually compatible with their network, they don't like it for some reason.
Lineage on a Xiaomi redmi 10 pro, everything working perfectly (also dual SIM and SD card + headphone jack) get about 2 days battery life. Though it's quite old now so I've no idea if it is as good as a OP5 or not lol
The way you have to hide from apps is a bit weird these days using magisk filters, but other than that the entire thing has been set and forget, and I've not had any issues
As @morrbo said, you can get a Redmi Note something, I'd suggest the Redmi Note 13 Pro (not plus, that doesn't have the headphone jack, for some reason).
It is great, and the offical unlock tool works seamlessly.
But you have to wait a week before unlocking, which I guess is there for you to """try""" MIUI. Still not a problem, though.
Yeah, I probably tried all those scripts people guarantee to work. Even with all profiles I tried to load somehow most of those apps knew I was rooted.
Oh, I didn't mention it in the original post, but I'm also using magisk hide, or zygote, or whatever they're calling it now.
Additionally, I've blocklisted certain apps so that they're not even allowed to request root access, because the banking app that forced me to root it in the first place would ask for root permission every time I launched it.
I use GrapheneOS daily and use banking, government, and other sensitive apps without problem. It's a common myth that you can't use those apps on GrapheneOS.
It's not a myth. I run GrapheneOS, and my bank app doesn't work, the Blind app doesn't work, and another common marketplace app (not amazon) has shadow banned me for using it on a device without hardware attestation. I only found out after reaching out to support and having a lengthy conversation with them.
It's idiotic that they require hardware attestation, but let's not fall into the trap of "it worked for me".
Even with these limitations, I'm okay with continuing to run GrapheneOS.
Even the McDonald's app doesn't work if you install it through Aurora store lol. Even though it's the same signed version distributed through Google play and I have Google play on the device, just not signed into a Google account.
Somehow it detects that it was not installed through Google play and refuses to work with an explicit message stating this reason. I really wonder why they care. The app doesn't even take payment, at least not in this country. You still have to pay at the order portal thing.
Fair enough, but on the flipside I wanted to point out that for at least some of us it's possible to use GrapheneOS with no compromises to the experience. Usually you only hear about those telling you categorically that you "can't" use banking, government and other sensitive apps when that's not true. Anyone on the fence should try it out themselves.
You can run all of these apps with GrapheneOS, in that regard it's very different than LineageOS because it has a compatibility layer as a first class feature [0]. You can either create a different user profile and install the play services there or create a work profile (with shelter) and install google services there.
I keep my banking apps in a work profile and shelter completely freezes/disables them when I'm not using them. Otherwise they work fine.
I do want to note that I'm fine with only using apps from F-Droid in my main profile. I mostly use NewPipe, FairEmail, KeePass and Harmonic (HN client) and that's about it. I don't tend to create accounts on websites but if you use social media this setup will probably not be the most compatible.
It's honestly mind blowing though. I've never ran a custom ROM with such a "vanilla" experience, even getting OTA updates within a week of them being out for Android.
That's probably what those apps use, then. Because all those tricks people mentioned never worked. Some explicitly failed saying that my ROM signature wasn't official.
Have you actually tried using your banking application on a recent (post introduction of sandboxed Google Play) GrapheneOS?
Restricting things to only Google ROMs basically also means your banking app won't work on a bunch of non-google Android phones and even most banks don't want to go that far.
When I started using GrapheneOS several years ago, I quickly realized I had jumped a lot further down the FOSS rabbit hole than I realized.
Today, I consider the inability to use government or banking apps on a device that travels in my pocket a feature, not a bug, but it was indeed a steep and sometimes unpleasant learning curve.
They only seem to support pixel, although pixels can be bought for cheap when compared to iphones, they're still expensive for countries which are still developing.
For example Im using a device which is 1/4th the price of cheapest first hand pixel that I can get
LineageOS is supported on a bit more devices, and works with microG if you're willing to sacrifice Google Pay for better battery life and less privacy violations: https://lineage.microg.org/
This worked ok, but wasn't as nice as grapheneos' solution so I ended up upgrading to a pixel once my cheap chinesium phone was sufficiently old and haven't looked back since. If you do the microg route you should be using a throw away gmail account you don't care about losing with the aurora store (if you need access to the google play store) because there is a non zero chance they ban your account.
> a throw away gmail account you don't care about losing with the aurora store
They also have a pool of accounts you can use by clicking “anonymous”. They do get banned frequently, and you have to re-login once in a while (for me it's almost every time I want to download something new again), but it is definitely usable.
It's a lot less usable lately because of the "Oops this account is rate limited" error unfortunately. Sometimes it takes me 10 tries. Updates are fine though, it's just searching for new apps that trigger it.
LineageOS unfortunately dropped support for my Moto G4 relatively quickly after I installed it and it only was supported up to Android 7.1. I have been running an unofficial build of 8.1 ever since, but that is also horribly outdated by now.
Maybe you can try getting DivestOS running. They only have 14.1 (Android 7.1.2) but unlike old LineageOS builds they patch security vulnerabilities and include some hardening.
Oh yes, more e-waste, more consumerism. We don't have enough of those. Sending text messages and viewing images requires a 90's supercomputer. It's fine.
Same here. I've benefited from hand me down devices for a long time, and I wish I could still be using the Samsung S3- so light, I have several spare batteries, it fit in most pockets, and it has a 3.5mm headphone jack. The iPhone SE from 2015 that recently I gave to one of my parents was nice, too.
My laptop is also from more than a decade ago, and I'm happily running LMDE 6 on it.
Everyone doesn't have to live like this, but it's utterly valid, and no one has any right or justification to try to tell anyone else not to.
I can buy anything any time, but I miss swappable batteries, headphone jack, sd card. These were all basic utility features than made a device interoperable and more generally functional. Removing them only benefits the people selling new phones, wireless headphones, and cloud storage.
My old vaio 3 laptops ago is actually still perfectly fast enough at what I do today, it just only has usb2 ports, which eventually became too big of a pain point. But it also had a real docking station that you plop the machine into, not the stupid "docks" we have today that are not docks but just mega-dongle-hubs where you connect a usbc cable. I miss that dock every day since 5 years ago. I could easily still be using it today even though it must be 15 years old or more by now. And if I were, no one else would have any justification for trying to say that I shouldn't, and no software or service provider would have any justification for artificially creating some incompatibility that only serves their goals instead of mine.
It is for me. And there is nothing important on my phone so it is not a huge concern.
And why do we have to accept that phones just turn into garbage after a few years? Even my old 2009 laptop* still runs an up-to-date OS but my 2016 phone is obsolete after 2-3 years?
* but I have to admit that the hardware is quite slow
> And why do we have to accept that phones just turn into garbage after a few years? Even my old 2009 laptop* still runs an up-to-date OS but my 2016 phone is obsolete after 2-3 years?
It is because computers run one of a few available OS's. The OS is being maintained by the distributer (MS, Apple, Google) and your hardware is good as long as the drivers are still receiving updates.
Phones are different because even though everyone only uses iOS or Android, every Android manufacturer puts their own layer onto Android, so Google can continusously update it but the manufacturer might not. Most companies only maintain their phones for about 3 years, giving a significantly reduced lifetime than computers.
It still works fine, from from a security perspective, keeping the phone without patch support is a bad idea.
I mean, I know why it happens, but that doesn't mean I'm happy about accepting it.
It is really annoying how every vendor cobbles together a Frankenstein abomination of a kernel with just the right drivers and patches and good luck trying to run anything else. But I also understand that they (except maybe for Google) have no interest or incentive to clean up this mess.
Even if your phone really has no access to anything that you wouldn't want leaked (although most people would object to a third party having access to their phone calls, text messages, and location data), a compromised device is still a great way to launch attacks on other devices including taking part in botnets. None of this is an objection to old devices, mind; I'm a big proponent of running new software on old hardware, but the security patches are important.
Interesting, can I still use the Play Store with mircoG?
I already run LineageOS, but with Play services. I would like to be able to ditch Play services, but still need the Play store for things like my banking app, and an app to log in to government services.
You can install apps from Play Store with Aurora Store, which is in F-Droid.
I'd say it's a toss up whether specific apps will definitely work. But if they don't I'd recommending segmenting between different physical devices, and making the one that lives in your pocket as secure as possible. It's likely that you don't need to run banking and government apps on the same device that's privy to your movement.
In my country (Belgium), mobile payments are a big thing using the national payment network (Bancontact). Lots of small shops don't accept cards and only do mobile payments because of the lower transaction fees.
These mobile payments only work with your banks app or a dedicated app (Payconiq).
My current approach is to put all these apps in my work profile which I can turn off (using Insular from F-Droid). Only apps for which I need background activity or instant notifications (Signal, an open source podcast app, and sadly WhatsApp) are installed in the main profile.
Sadly, this approach still requires me to have Google services always running in the background for a functioning Play store in my work profile.
I've heard something about using Play Store proper with microG, but obviously that's very flaky. Aurora Store is the way to go.
And banking / government apps tend to work in Europe (at least the ones I have tried). Notable exceptions for me are Revolut (shame!) and McDonalds (who knew microG is the healthier option haha). Of course, in the US things might be vastly different.
Yeah. It's either that or state-supported systems (UPS in India, SBP and MirPay in Russia). Cryptocurrencies could be the answer but governments would never let that happen I think.
Even in the US, the limited hardware support is a barrier right now, especially with having to find a unit that has an unblockable bootloader.
But it's still doable for many people. I most recently bought a second-hand Pixel 6a for GrapheneOS, and BYOD it to an inexpensive no-contract plan.
Pixel 6a units with unlockable bootloaders are currently $235+ on US eBay, which is less than new current Pixels and iPhones bought outright, but more than many lower-end devices, and more upfront than people pay for contract plans that toss in a phone.
It's very interesting because 1/4 of Pixel 6a would be around 80 EUR... so I wonder about your environment and what workarounds you have for these problems.
So I'm in India, and pixel 6a seems to be of 30999 Rupees on Flipkart (amazon like online store)
The device I use regularly is moto g14 which is at about 8500 online, with discounts can go for 8000.
Honestly there is no work around as the moto g14 comes with a 4gb ram and 128 GB internal storage, 6.5 inch screen and 5k mah battery, it can do pretty much anything.
I've just started working full-time after college and now I earn more than enough to buy pixels or iphones but currently the money is going on other important things that were pending
It's still based on Android though - so isn't it building on sand ?
Isn't it better to focus our efforts on projects unrelated to Android, especially since some viable ones have appeared recently : Librem 5 and especially PinePhone.
Banks in many countries require an Android phone for online banking. Even if they offer an online-banking website that you can access with any browser, you may still need the Android app for 2FA. This is one of a number of reasons why the PinePhone or Librem is unfortunately not a daily driver. Also, things like paying for parking or interacting with public services are moving to Android apps in some places.
I was given a hardware device by my bank to do my online banking. If they want to move to smartphones I expect them to provide me one of those as well.
One of the very reasons banks have been phasing out hardware tokens (and code cards) is because they represent a cost. Of course the bank is going to put the price of the smartphone all on customers.
When you get to the lowest level, technically, the banking apps want to store files on the phone that the user can't access.
This means that something like lineageos can run banking apps, if the phone tells the banking app what the app wants to hear. It's fiddly but can be done, and in fact it is what I do on my private phone. It also means that a platform that fundamentally gives users the right to read all the files on the phone (ie. to make a complete backup) will not be supported by banking apps, because such a platform will not let the banks do what they think they need to do.
I think this implies that such platforms can't grow beyond a niche within a niche.
While I can understand Google and the banking apps' actions, it doesn't make much sense given how PCs having root is hardly every a concern for a bank. If you can do something bad with banking on a rooted device, it's probably doable on a computer too.
Oh, banks are definitely concerned about PCs having root. There are even some banks that have removed their online banking websites entirely (except, perhaps, for corporate clients) and require customers to do everything through the Android app instead.
My bank and my wife's bank both require 2FA. On the app, one of the Fs is having physical access to the device (the phone/app, which was vetted by the bank when the app was installed). On web browsers, these two banks don't offer any factor like that.
In end effect, the banks treat a non-rootable device as suitable as a "something you have" factor, but will not treat a rootable device as that.
In some countries one no longer has that possibility. Not everywhere has a range of banks to choose from, sometimes mergers have resulted in just a handful of banks for a country, all of which enforce use of an Android app.
Oh, it’s fsflover, the poster with the Librem idée fixe. Haven’t noticed you here in couple of years. Your comment elsewhere here about GrapheneOS not requiring much less effort to daily drive is way off. GrapheneOS runs banking apps and, in countries that legally enforce use of certain apps for ID or payment, those apps, too. Zero hoops to jump through. Meanwhile, a Librem phone (or a PinePhone) will not work.
Of course, in some countries you have lack of important freedoms, which says a lot about their state of democracy. However if your country gives you a choice, consider using it in order to not lose it.
It's nice to know that I'm somewhat famous. I never suggested that running banking apps on GNU/Linux phones was as easy as on Android forks (however, reportedly it is possible for some banks). I meant other daily tasks of course.
The country I live in has strong consumer protection laws. Banks deal with it by judging risks: That which is too risky is what they won't offer.
My bank does not offer Western Union transfers, for example, because there's been too much fraud. And does not accept root-platform devices as 2FA "something you have" factors.
Liberty or consumer protection? Your choice, really.
Arguably, typical Android is less secure than a Linux phone, since it constantly calls home, runs a ton of untrusted apps and often has a short software support time.
One of the draws of GrapheneOS is that, since Pixel phones have a relockable bootloader, that Android image will pass SafetyNet. While Google Play Services is typically required by banking apps, on GrapheneOS you can run Play Services in its own sandbox.
They might, but app for my bank works happily on LineageOS.
Same eg. with app for a local 2nd hand site, which on startup complains that it needs the Google services... and then runs without issue (only appears to use those Google services to pinpoint the phone's location).
Imho this is 1 more reason to put alternatives like LineageOS on a phone: the more users on those, the harder it is for app developers to drop that usergroup for... well, reasons.
Most reject phones that don't pass SafetyNet. There are ways to pass it with unofficial images/rooted phones, although I'm not sure for how long they will keep working and I think you still need Google Play.
As I said, for many banks, in order to log in to the bank's website on a laptop, you need to receive a 2FA code sent through the bank’s app on an Android phone.
I’ve found that many times when a service says this the system will work with any OTP program. They just don’t tell you specifically. Maybe they don’t know, think it’ll confuse, and/or prefer you didn’t.
Here (in Russia) typically SMS is used as a second factor and you don't need an app. Requiring to install an app is basically requiring to buy a modern smartphone only to be able to log in.
It's the regulation that should focus on creating the foundations of alternative systems, not the phone manufacturers. If a bank doesn't have a website, or a govt app doesn't have a website equivalent, then Librem & co is already out of the picture, from the everyday usability standpoint. To provide the citizens freedoms, service providers need to be forced to use open standards, like HTTP & HTML, to serve an standard interface that has all the necessary functionality. No matter how many grassroots initiatives we have, if this is not provided, they are automatically all out of the race.
So really, if anything, I'd like people to focus on regulation.
As an owner of both a Librem 5 and a Pixel 6a running GrapheneOS I can confirm that the latter has been much more reliable and has taken substantially less work to get to the point where I can daily drive it. The Librem 5 is not there yet, and while I would like it if it were I'm not currently very optimistic about that.
In the past year, I have used a pinephone+keyboard with Arch, a oneplus 6t with postmarketOS, and a pixel 7a with GrapheneOS. In my opinion, Graphene is significantly easier to daily drive because the applications are designed for a phone's form factor.
The biggest one is the Firefox ESR build from the pmOS repos with the custom userChrome.css that tries to fit everything onto the Pinephone's screen. I pretty consistently encountered pop-up prompts (for example, in the built-in password manager) that ran off the edge of the screen in both portrait and landscape. Zooming out sometimes helped, but then the text was unreadable and the buttons too small to press. There was also no forward button in either the overflow menu or the nav bar. The Phosh settings app had similar problems.
There's some hiccups when you first set GrapheneOS up, but after that it is as smooth as, and blends in with, any other Android device. I've never used Librem or PinePhone to comment on them
… as long as you trust the developers, and their ability to secure themselves, of course.
I mean, if I was a three letter agency, sneaking into some GrapheneOS developer’s basement to add a camera to record his keystrokes would be the easiest trade ever for all the paranoid people using it. It’d be way easier than sneaking into Apple or Google. Might even be worth violating internal law to do it; because getting caught is extremely unlikely, and forgiveness is easy.
Edit: Also, don’t forget that, if you should get arrested, “he used GrapheneOS” is 100% going to be used against you in court. You might use technical arguments or principled reasoning, but that doesn’t resonate with juries. Unfortunately, using extra-strong privacy tools is perfect for framing you as a criminal.
B. The NSA hasn’t stolen the signing key and isn’t feeding you customized images?
True, you can’t verify that with iOS or Android either. I am saying though that trusting my security because it’s safer… by being in some guy’s garage feels like an odd trade. One that shouldn’t be casually ignored, at least.
If your threat model for your phone includes the NSA as an adversary, maybe you shouldn't be using a phone at all.
For the rest of us, who just want to be violated less, we have to choose our poison. The corporate options are shameless violators, and the alternatives are gambles.
Even if this was true, it seems harder to compromise a single paranoid coder working out of his garage than any one of 1,000 corporate developers, their workstations, or associated networking, or servers in any (even high-security) company.
Weakest link in the chain and all that. There are just a lot fewer links in the chain. More likely that a vuln is introduced as part of Android and makes its way into GrapheneOS than directly into a tiny project.
I’m saying that, if people who use it aren’t careful, they could end up like the university kid.
There was a university that received a bomb threat over Tor. They found one student who used Tor on the network at around the right time, and because he was the only Tor user, he’s in jail for a very, very long time. That kid was at Harvard, his persuer the FBI.
If you are going to use GrapheneOS, don’t be naive and think it will make you agency-proof. If anything it probably flags you to their attention.
Why are you under the impression that since I want to use a more secure OS than Android or the equivocating Apple that I must be wanting to bomb a university?
Absolutely not. But if anything bad happens, or you are attending a protest and suddenly getting investigated for rioting, you might have second thoughts.
I do not condone or endorse illegal activity. That does not mean your use of GrapheneOS might not be used against you if you use it at an inopportune time. There is currently almost no discussion online about this, so it’s worth a mention.
Edit: I forgot to mention some obvious context in my head. Think journalist, in Russia, using GrapheneOS for “safety.” In such a situation, probably a terrible idea.
The kind of over-cautious cowardice you are displaying is what drives societies to become conformity-enforcing police states.
"You're painting your fence beige instead of white? Are you sure that's a good idea? What if there's a crime committed in the neighborhood - beige-fenced deviants are the first that the police will look at!"
People have been trying to stick Linux and the AOSP for the same reasons, but it's quite obviously never worked. Linux and Android are not popular because they are superior security tools, they are popular because they are free and accessible. Governments play poker, they don't want you to know what their hands look like. Condemning any particular software is the equivalent of folding their hand; it's an admittance of defeat. It won't happen unless they face a hopelessly equipped adversary, like Huawei.
GrapheneOS is likely not a secure system, but neither is any smartphone OS. I'll compliment anyone taking steps towards transparency that makes governments and global-scale corporations tremble at the knees.
I remember seeing that news on arstechnica or some tech publication I was following at the time.
It actually put a little fear in me because I look around and not a lot of internet users in my small hell hole of an open prison I call home and i was like "dude. You're like a alert beacon screaming here is a tor user, check him out".
I was using tor at the time and that is the last day I used it because this use case fit me somewhat. Not for sending bomb threats but because the nature of surveillance, I am a target of the government so any outlier gets flagged pretty hard.
It doesn’t matter who is coding it, it matters who owns the signing key that will make your phone recognize the authenticity of the software. And, of course, if anyone else has it.
