From the linked Gitlab writeup: "Some changes to OpenSSH are used from Arachnoid's SSHelper." I'm very glad to see this port of open-source code I wrote years ago, especially now that Google has removed SSHelper from the Google Play store (BTW still available at https://arachnoid.com/android/SSHelper).
After years of trying to keep up with Google's perpetual Android tweaks, I gave up and accepted that they would eventually remove any apps that weren't updated for each new Android version.
These events only remind me how out-of-date I am as a programmer. I wrote and released my first major title, Apple Writer (https://en.wikipedia.org/wiki/Apple_Writer) in 1979. It lasted for six years in various forms, then was replaced by better programs. I wasn't a corporation, I was an individual, and my programs (then and since) have been individual projects.
In modern times, individual releases are rare, and in the future are likely to be even more rare, replaced by collaborations between developer teams and AI.
Not saying things were better in the past. Just different.
I'll say things were better in the past. It's obviously subjective, but I hate the direction things are going.
The user is now viewed as a security threat to their own device, the hyper-churn culture of the javascript ecosystem is now embedding in other areas even systems (like Android, as you point out), "updates" for apps and to a lesser but growing extent OSes, are routinely pushed and forced on users regardless whether they contain new bugs/regressions or horrible UI/UX changes, more and more software is becoming proprietary SaaS and "subscription" based, and backwards compatibility is for the birds. In the name of "security", tech companies and even individual devs are turning our own home networks into opaque spy apparatuses that make network connections that we (the owners of the network) can't even inspect. Even maintaining self-hosted apps is becoming a several-hours-per-week job.
It feels like during the late 00s and early 10s we had some real golden years of open source, but now the poisonous engineering culture that pushes the above things is poised to squash it as a "daily driver" for people. For example, once Microsoft completes their requirements for TPMS and can do hardware attestation like Apple and Google, the ratchet of websites not working (or not working completely) unless the device passes hardware attestation will start, and it will make life on a Linux laptop/desktop similar to how Tor is now where you get endless CAPTCHA hell and nobody cares because you're in a tiny minority of users and many of the tools that provide technological liberation for an individual are also tools used by gray and black hat actors.
And I haven't even gotten to the Apple-ization of everything where it's becoming all about building walled gardens. I remember when compatibility was a selling point of hardware/software.
It's not all bad of course, but it does feel like a lot more bad than good is developing. Happy Monday everyone!
When Microsoft first proposed attestation features in 2002 under the name Palladium, it was almost universally seen as a nightmare scenario. I don't understand why most of the tech world is OK with Apple and Google doing the same thing to our phones now, and Microsoft bringing it back on Windows.
I do understand trying to bury full access to the device a bit deeper than it was on older PC operating systems. The average person doesn't know how to use a computer, and it doesn't appear there was ever much hope of that situation changing. Letting a third party verify the computer is in a certain state, however seems outright malicious.
I think this is a bit overkill for my taste with root but depends on use case.
I'm SSHing regularly into my Android phone (and it does not need root) for backup purposes. Used various apps for that but settled for years on Termux.
- Always available over my network/wireguard without touching the phone or a cable. Wireless ADB over a tcp socket technically works but requires a USB cable to bootstrap when you use the phone as a hotspot like I do, nor would I dare open it up to the internet.
- Any number of SFTP clients rather than the limited ADB options
- Higher throughput than wired ADB (at least on my Pixel 6A over USB)
- I want ssh access to my termux environment anyway so may as well use it for file transfers too.
I only really use adb for app development, maybe the odd nslookup or android package management with `pm`
If you are rooted, you do no need a wire to bootstrap, there are apps that start the process, but it's mainly for convinience.
Also this lets you run script on your real device instead of the chroot thing of termux which can be helpful (e.g. accessing /data/data stuff which is a pain with termux, not sure if its even possible).
And my last reason is just that why would I need a separate app that I need to configure when I can just have a real ssh server
> ... It also includes rsync (which actually was my main motivation for this project)
I would take rsync any day over unreliable GUI apps that silently fail to complete remote transfers, often as soon as the screen is turned off.
I've used an iPhone for the past few years but may move to a Pixel running GrapheneOS for my next phone. It's apps (well, modules) like this and Termux that tip the scales in Android's favor.
Sadly, termux now has its own issues since android 12+. It is possible to work around the limitations, when you do not have an Android Phone with MDM enabled and have no problems with turning on dev tools and start remote adb from time to time. I no longer use it because of those reasons. However, there appears to be a native terminal in android 15. Maybe this will be the game changer I waited for.
On my (Pixel based) LineageOS ROM, you can disable enough power saving settings to make Termux work well again. Unfortunately, many vendors remove half the settings from their interfaces and make their app killers extra aggressive (just to spite people, it seems, because battery life doesn't seem affected in my experience).
If your phone's manufacturer disabled the necessary power saving settings, I doubt they'll enable them for the Android 15 terminal.
>Unfortunately, many vendors remove half the settings from their interfaces and make their app killers extra aggressive (just to spite people, it seems, because battery life doesn't seem affected in my experience).
To be fair, for every well behaved background app (ie. a ssh server that's listening on a socket, which should consume basically zero power), there's probably 10 other misbehaving app that's phoning home every 30 seconds for ad/tracking/analytics purposes. Moreover, "battery life" is a metric that often shows up on reviews, so it makes sense to game this metric as hard as possible, especially since most people probably aren't running servers 24/7 on their phones.
I'm not opposed to power saving measures being enabled by default, but "let this app run in the background at all times" should still be a setting. Require a PIN or biometrics to toggle the setting for all I care, but not being able to turn off app killers is what turned me off several brands of phones. The defaults are good for the general population but I'm not the general population so let me turn that damn thing off. Show me a daily notification about how an app drained 40% of my battery life if you have to but don't make me root my phone again just to turn off the stupid app killer.
I run into issues with the smart watch integration app getting killed before Google Maps, even when I'm not navigating on one of my devices. No way to whitelist the integration app or set some kind of preference, it's just a lottery, probably based on guesstimated power consumption (which, for an app with a Bluetooth lock, will probably be above average) that I want to tweak.
Some sales/ad Manager will force app dev for money (that will happily take money - and write in hn after 5 years that he/she is so overwhelmed with guilt that they have to live with 6digit money on a beach now) and build UI that will trick user into enabling that for that crap app.
Some of those apps are things I want to phone home, like the system I have that is supposed to dial my thermostat back automatically (as well as back up again).
When these are the tasks that are killed, it costs me more than whatever precious bodily fluids that some ad/tracking/analytics stuff may sap: It costs me real money.
The problem is less with phoning home per se, and more about doing it in a way that's against user expectations. I already acknowledged that there are legitimate use cases out there, but for the overwhelming majority of users, their phone is primarily a communication and media consumption device, which doesn't need 24/7 background access. Yes, it's tragic that the handful of people are being harmed by this, but it's hardly because of "spite" as OP suggested.
The problem is that I'm only theoretically harmed by things that unexpectedly succeed in phoning home, while I'm absolutely harmed by things failing to phone home when I need them to do so.
Dollars I have lost due to things phoning home against my expectations: Close to zero -- if not literally zero. (And close to zero time spent managing that.)
Dollars I have lost due to things failing to phone home when I want them to do so: More than zero. (And hours and hours of time spent trying to make them work more reliably.)
If you really want to get into a game of theoretically vs practically, for most users: they're only theoretically harmed by not being able to disable background activity, because all they're doing is texting (worst case, there's GCM which is whitelisted) and watching tiktok. Meanwhile they're practically harmed because the one-of-a-dozen e-commerce app has some misbehaving background service that's trying to send telemetry 24/7. People also have terrible battery discipline, and if you're out and about a dead phone has actual costs (eg. having to rent a power bank, or having to take a cab rather than uber).
None of this invalidates your use case, but given the rarity of your use case compared to the more common use case, I hope you understand why companies are implementing it not purely out of "spite".
A thing can be abhorrent and disdainful and motivated by the best and most pure of intentions, all at the same time. These are not in any way mutually-exclusive constructs.
Rarity?
Perhaps the best way to make sure a thing remains rare or unusual is to neuter it straight out of the gate. In the past few days here we've seen SSH servers and Docker containers on Android, with the repeated caveat of "Yeah, but the task killer won't let that really work." And that's absolutely true: It won't.
I am running a copy of this on a spare phone. I'm 95% sure that it bundles an sshd, as LineageOS does.
The Bliss launcher leaves a number of features to be desired. I can't see how to create a shortcut of the browser as an incognito tab, which for me is a must-have. The lack of widgets beyond the separate widget pane also is limiting.
I've seen some methods to get Trebuchet imported by various means. That would be required for a daily driver.
Otherwise it looks like a reasonable clone of Lineage with odds and ends.
Edit: LineageOS bundles /product/bin/sshd - I have seen wikis on how to set this up with authorized_keys. /e/OS likely has the server daemon as well. My phone says that it's OpenSSH 9.0p1, BoringSSL.
:shrug: different strokes. I prefer /e/OS to LineageOS because things like maps, banking apps, microG + signature spoofing work out of the box. I think most Lineage users just install GApps, but I'm trying to avoid the google ecosystem.
That's exactly my point: You're deliberately installing Google software on your LineageOS device, so it's not really that different (from a supported apps or data privacy perspective) from a stock ROM.
GrapheneOS and /e/OS are trying to solve different problems: producing a usable Android operating system that isn't tied to Google.
I use syncthing a lot too and yes it used to be perfect on my OnePlus 6 with lineage, but on my new Pixel 8 on stock I can't seem to get it too stay opened it always get killed even though I'm pretty sure I disabled every battery saving things for it
It really depends which edges you find rough. Maybe we don't have the same needs. I try to use mostly open source apps and sync my calendar, contacts, files, notes and podcasts via Nextcloud. I use sandboxed Google Play Services for the small handful of apps I need but can't get any other way, everything else comes from the various open stores like F-Droid, Aurora, Accrescent, and Obtainium.
I've used countless ROMs over the years, as well as stock android, AOSP, cyanogen mod, later lineage os., caylx etc., without google, with microg etc.
Honestly Graphene is the first where everything just worked, and gave me the option to take or leave google apps, and have them in a sandbox if I desired.
Probably the first time I haven't felt the need to root or install magisk modules to customize behavior.
For me it's like having your cake and eating it too.
To be honest, and this probably seems minor / trivial, but one of the only things I miss about using GOS is the ability to turn on the flash light by holding the power or whatever other button.
I'm curious about the rough edges you experienced.
1. apps are rather slow to install, since GOS compiles JIT (just-in-time compiled code) on install for security/speed. It's a bit of a pain when I'm needing something now
2. play integrity fails, so some banks¹ don't work, and NFC payments are pretty much bricked
3. I had some weird issue setting up my galaxy watch. probably a Samsung thing but it'd download software for an hour then fail with a generic message multiple times
now writing this out, I realize a lot of these are skill issues I need to just take a couple hours and try to fix
1: my solution is just to use web apps and it works well since I end up with less apps. PWA FTW!
All my smartphones had been Samsung, and then I bought a Pixel just to get GrapheneOS and for me it's a way nicer experience, so I'm curious what the rough edges are that you experience?
You'll lose any apps that use play integrity or other similar checks that check for a non-google OS. Some banking, media, or gaming apps may use those checks, but I haven't encountered many in the US. Other than that, everything will work as stock if you use the sandboxed play services. If you don't use play services, there's perhaps a longer list of things that won't work, including notifications for most apps that rely on FCM. The OS supports different types of isolation schemes like private spaces and additional user profiles. So you can find some middle ground on whether or not you want play services, which accounts are logged in where, etc.
The only downside is the increasingly onerous attestation requirements that are eventually going to infect virtually all proprietary software for Android.
If you only care about running open source code, you're golden.
To pull files off my Android phone I installed an FTP server app. Gets the job done for me, and works on stock Android. I only turn it on when I need it.
Hmmm, that's strange? I have it installed on my Pixel 8, which launched with Android 14 and recently upgraded to Android 15. I wonder what's different for you?
Sadly you are in the vanishing minority of Android users who care about this. Most people just want a phone that works. So much that many people switch to iPhones because, admittedly, many things are work better in their walled garden, and the phone is "simpler" because the OS hides many details or doesn't allow you to do anything.
I used to spend lots of time trying different ROMs, figuring out SU and SELinux stuff, and fighting with SafetyNet. These days I just use stock Samsung ROM. I still have Termux on my devices but only use them occasionally when I don't have a laptop next to me and need to do some hardcore stuff. (I might even switch to iPhone someday because the password autofill experience on Android is just atrocious and infuriating while Google has done almost nothing for the past few years.)
Personally, I would suggest trying out GrapheneOS on a modern Pixel before going to iPhone. They remove 80% of the Google annoyances and have a very good security profile compared to anything rooted and most custom ROMs that don't bother with relocking the bootloader.
You will still fail to pass device verification, but that doesn't really matter to me. I don't use tap to pay (that's why NFC credit cards are for) nor play any mobile games that actually care.
I could not imagine using a stock Samsung ROM personally, but to be fair, it has been years since I tried. Maybe I'm still just too burned from the bloatware of the early Galaxy days.
Samsung phones are pretty nice these days. It's also very easy to migrate to a new phone. Their software migrates almost everything including side loaded apps.
For some definitions of works. It's frustratingly inconsistent for me, very often it'll give me no suggestions on apps it's filled many times before and I have to go open it and manually copy out passwords.
It works great with other apps. I've switched phones a couple times and had no issues that I can think of with passwords. Maybe sometimes some banking apps prevent FF from opening, so I had to manually lookup the password, but I think the most recent time I didn't have this issue with any apps. Also, I use FF to randomly generate most passwords.
> e.g. if I open doordash and try to log in, which opens a web view with a login form, does autofill popup?
yes, I just checked with Gmail > random website in Gmail WebView, and Firefox autofilled it fine. That being said, WebView's can be unique app to app, so can't promise it works for door dash as I don't have that app.
I assume "official stock OEM Android" is what you meant, and I hope you'll give specifics of the things you mention. Alternative browsers like ungoogled-chromium-android, Cromite, Vanadium, and some others purport to have stripped most of that out from the Chromium browser, while GrapheneOS, LineageOS, /e/OS, and maybe some others purport to do that at the OS level.
I don't underatand. You're saying people can't use PiHole with Android? But lots of people do that... Or do you mean it can't be installed on Android itself? I googled that and it seems it can be...
You still can’t set the IPv6 dns server manually and you can’t permanently disable IPv6.
When you install pihole and set it as the dhcp server and also as the IPv6 „Ra“ server the ipv6 dns server from your router will still be used primarily. Making dns based blocking on android ineffective
I'm guessing it's for the use case where you "adb shell" into the phone, and want to ssh elsewhere (where dynamically-linked Termux binaries would not work)....
Edit: .. though, one could always just start an ssh server in Termux in the OS for this.
Maybe it's if you want to have ssh and rsync in the recovery or fastboot modes? Just in case you can't get (or don't want) to run the android system?
Edit2: Ah. It's for when you want to use another app that can call system commands, without having to build ssh and rsync into the app, nor spawn an intermediate termux process from the app. It cuts out the middle-man. That is quite useful.
Installed it just now - don't forget to enable incoming connections on the firewall (AFWall+) if you happen to use one - and did some experimenting, especially to find out whether it would open up the device to the deluge of ssh probing. Even though those probes will (in a sane universe) not succeed they're unwelcome anyway. I do notice the device listens on port 22 on both IPv4 and IPv6. Fortunately it is possible to change this by editing /data/ssh/sshd_config where I disabled IPv6 (not necessary in this context) and changed the listening port. You never know on which network your device will end up after all.
I wonder if that includes the SFTP server component of openssh?
If so it would be very useful for use with rclone. I back up my phone by running an sshd in termux then using rclone with sftp remotely. This works very well (until the phone decides on a whim to kill the sshd!).
After years of trying to keep up with Google's perpetual Android tweaks, I gave up and accepted that they would eventually remove any apps that weren't updated for each new Android version.
These events only remind me how out-of-date I am as a programmer. I wrote and released my first major title, Apple Writer (https://en.wikipedia.org/wiki/Apple_Writer) in 1979. It lasted for six years in various forms, then was replaced by better programs. I wasn't a corporation, I was an individual, and my programs (then and since) have been individual projects.
In modern times, individual releases are rare, and in the future are likely to be even more rare, replaced by collaborations between developer teams and AI.
Not saying things were better in the past. Just different.