Long is gone the time where unlocking bootloaders and installing custom ROMs was the best path to follow.
Even if you are able to unlock it (with difficulties such as this one, or others that involve opening the device and soldering a shortcut), you will have a device where apps check for unlocked bootloaders and rooted OS, and forbid you from use the application.
the only app ive seen balk at bootloader status (to date) is google wallet. Using a phone to pay for stuff is an opsec nightmare youd only entertain so long as becoming an integrated and saleable asset in a data brokers portfolio is a life goal. 'pm uninstall' and move on, the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)
the point of oem unlock, and rooting at all, is diametrically opposed to the vendors interest in nearly every facet. The vendor will bark "hackers" as a thinly veiled threat for the uninitiated, but we are initiated. what the vendor doesnt need you doing is erasing their telemetry and walled garden spyware. they dont need you developing alternatives to their store and to their apps, and they especially dont need you turning this effort into something as simple as an ubuntu installation for older phones they expect to follow the strict trade-in model of "buy a new phone every year"
arguably Asus refunded the purchase because this person isn't playing by the rules and being a good consumer.
> Using a phone to pay for stuff is an opsec nightmare
Do you mean "privacy nightmare"? Security-wise, Google Pay beats using your physical card since it uses a device-specific number that can't be skimmed by terminals and reused online.
> the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)
I'd argue that it only makes sense if you have an older device that's otherwise not receiving any more security updates.
EMV chip cards still contain your card number and expiry date.
Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.
With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).
They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.
No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.
You can always tell what part of the HN regularly goes outside and interacts with normal people. I’m sorry but “just memorize the CVV and erase it from the card” isn’t something anyone really does. The comment that Google Wallet is more secure is a generally applicable comment.
Bank apps, Netflix, and Disney+ also won't work. There are spoofing measures though I've been burned by unlocking and rooting too often to try again, at least not while my devices are still under warranty.
I always use websites when possible instead of installing yet more spyware disguised as a useful app. My bank, however, has the TOTP built in the app. You can't make a transaction without the phone app connected to the internet.
I meant to emphasize that they force us to install their app. I can't use the website without installing the app, missing the point of using the website.
Magisk + a few modules and most apps should work. The warranty part, this depends a lot in the country, but at least in Europe I don't think they can deny repairs just because you unlocked the bootloader.
Commercial copyright interests will always seek to maximize their control over the devices that play back copyrighted stuff. Banks at least have more legitimate security concerns since they involve the end user getting screwed rather than the copyright holder.
It sure isn't what it used to be, but if you buy the right phone and make a few moderate compromises, it's still a great option.
Installing crDroid on my OnePlus 9 Pro took half an hour, another half to install Magisk Delta with a few modules. The universal dark mode alone (Xposed module "DarQ") is worth the effort, but also the ability to clone apps, have proper clipboard sync, make full-system backups and customise the look and functions of my OS to a currently unparalleled degree.
The only compromise is I can't seem to be able to do NFC card payments (send or receive), one of my 4 banking apps needs a custom patch every few months to start working and a friend tells me the McDonald's app doesn't work.
Do you keep a factory image for your OnePlus 9 pro in case you want to restore it? If so, how do you go about doing that?
After OnePlus decided to stop publishing factory images, I decided to stop buying their phones. It's a real shame, because they really do make some great stuff and prices are quite reasonable generally speaking. I used to buy a new OnePlus phone nearly every year. The OnePlus 6 was one of my favorite phones of all time.
I wasn't aware they stopped publishing them so I didn't back it up, but I can't say I really care for my use case. The only reason I'd need it is to resell the phone, but my plan is to use it until it's either broken beyond repair or backporting new Android versions becomes impossible, at which point nobody would buy it anyways.
I agree the OP6 is great (my girlfriend is still using hers), but I was still on my OP 3 like a year ago, until future ROM updates were deemed impossible thanks to Qualcomm binary blobs.
It's a real shame it's all over now. The OP 9 Pro was the last OnePlus phone made in their old way (or close to it) - not too expensive, well built, close to stock ROM, easy to reflash, decently repairable. Hopefully it lasts me as long as the 3 did because currently I don't see anything else like that on the market.
Yes, I am still on my beloved OnePlus 6 running Lineage and had been looking around for a used 7 or 8 for 5G capability (I'm a bit sketched out by the overall throttling hoopla of 9th gen). Perhaps it's time to expand the search beyond OnePlus.
Eh... that's why I'm pondering going back to OnePlus (after short affair with Samsung for the past 2 years) because it's somewhat annoying not being able to tweak stuff...
Alas, it's also annoying that some dumb banks (I'm looking at you ING Poland) consider rooted device as "insecure" but thay have no problem if I open a bank page using admin/root account on the computer)
Hmm, funnily enough at least a few years ago German Ing-Diba didn't care about rooted phones. I switched banks at some point though, so I have no idea whether that's still true.
It's only a brand, there is almost nothing in common between local branches.
As for ING - about 4-5 years ago it was possible to spoof the check but about 3 years ago they went full bonkers and if you didn't get the app from playstore (so for example aurora) it refused to launch...
This is rubbish. I'm running GrapheneOS and have left my bootloader unlocked, and there's no app that has refused to work. The only caveat is some of them need Google Play services. No, I am not rooted, but my last phone was rooted and there might have been one or two apps out of dozens that wouldn't work with root even with Magisk trying to hide the root status. Using a custom ROM is easily one of the beat choices I have made.
So I guess next thing we need is someone sueing the fucking banks that do that. Mine luckily doesn't because I explicitly use an old phone with LineageOS, the banking app, and nothing else on it for online banking. It's arguably way more secure than using your main phone with a bazillion other Apps installed and online at all times.
How would that stick? You can just sign into the bank via your web browser in the case of a nonfunctional app. The apps just give you added security assurances beyond using the web.
"The app can't function in a low security environment, but complainant is free to use the web client in such event." case dismissed
(obviously an oversimplification, but the point stands)
For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.
Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.
Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)
Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.
There are app-only banks too. Some of them provide a web interface, but it depends on the app to sign you into the web interface (similar to the way whatsapp requires you to use the app to sign into whatsapp web).
What happens when you primary bank has been one of these app-only banks for the last 5 years, and you decide to make a technology change to your phone, and can now no longer get into your banking app?
When you reject GrapheneOS, the most secure mobile OS on the planet but accept a no-name chinese ROM I feel like that you can't invoke security reasons anymore.
Signing transactions usually take you back to the 2FA app here, where the amount and receiver is repeated.
Even if someone hijacks my computers web browser, the worst they can do is see my statements, any attempt to transfer out will pop up a prompt in the phone.
A lot of this actually seems to have come from recent regulatory pressure for 2FA (which I support in principle, don't get me wrong). I don't even think most of them have given much thought to rooted phones, rather they're just cargo culting Industry Standard Best Practices and turning all the device verification options to max. Luckily, most of them realize they still have customers without a compliant smartphone, or one at all, and offer a fallback, which is almost always SMS...
Though you get those newer "app only" banks. I've never used any since I see that as a major downside, not a selling point, so idk whether they tolerate root. Even with traditional banks, I've come across a few features which can only be accessed via the phone app - in this case likely due to the belief that "web? Everyone just uses apps!" rather than security
It's far from secure. You are using an outdated phone, which hasn't received any kind of firmware or vendor security patches in a while. And as far as I remember, LineageOS doesn't support relocking the bootloader which further reduces the overall security of your phone
What's the attack vector? There is nothing else installed on this phone, and I only turn it on when the banking website asks me to confirm the login via their app. So it's connected to my wifi for like 5 minutes.
Meanwhile my main phone is always on the mobile network, using a proprietary modem that's running ridiculously complex firmware that does edge, lte, 5g, VoIP, has its own tcp/ip stack and a dozen other super complex protocols, is closed source, gets no security reviews and is exposed to at least my mobile provider at all times. And that's just the modem. Don't let me get started with all the value-add software the phone vendor loaded the device up with. Some of which is running with elevated privileges. You seriously think this is more secure?
For UK banks on my Graphened Pixel 6a I can use the apps for HSBC, First Direct, Barclays, NatWest, RBS, Co-Operative Bank and Metro Bank with no issues, and have only had trouble with the Lloyds Bank app as of an update from maybe 2-3 months ago which throws an error saying they've detected I'm using a jailbroken/rooted device
I get a message that the device is not secure but I can still make transfers and such from the banking app on a rooted OP9Pro.
Never tried to use NFC payments though.
> Do you use a banking app? Last I read depending on the type of check used some apps can still be problematic.
It's important to distinguish between banking app and payment app.
If you just want to check your account balance or find an ATM, the banking app will probably not mind that you're on a device that can't pass integrity checks.
If you want to use your phone's NFC to pay for coffee, though, you're going to have a bad time.
Also many "corporate" things, usually depending on your org's policy. E.g. I can't run OpsGenie (it may actually be the Microsoft SSO step failing, I'm not entirely sure, but the error definitely mentions my device not meeting security policies)
I use N26, Revolut, ING, and others. No issues, I just add the apps I need to the magisk hide list. I also use NFC payments. Only Google wallet does not work.
Yeah, my bank app both did not work with rooted phones, last I checked, and they also appear to whitelist phone models or something - at one point I had an uncommon mid-range Chinese phone and I had to contact support to have them approve my phone.
What are the downsides with GrapheneOS? I had a few problems with root (Netflix and banking apps) but would love my privacy. My main reason for root is the firewall to block outgoing connections from apps that are not supposed to do it
It's really a downside of the Google app ecosystem and not GrapheneOS per se, but apps requiring higher levels of integrity per Google attestation (Play Integrity/SafetyNet) generally won't work. Intentionally breaking apps on "untrusted" configurations is basically the point of that feature, and GrapheneOS does provide the relevant services, but would need to be specifically enabled by the app developer.
Firewall wouldn't be necessary with GrapheneOS. There's a network toggle which you can use to completely cut off internet access for an app. As for the downsides, I would say close to zero. It feels just like a stock OS, without any kind of bloatware and a lot more secure
what? safetynet is absolutely a pain in the ass. i think there are some xposed and magisk modules or whatever that can work around it but that's a cat-and-mouse thing and can break. lot of bank and financial apps, lot of stuff with DRM will break.
If you root, you can bypass those issues in most cases. I have 3 apps detecting it, that I can bypass, and only the German health insurance app from TK detects it (according to the internet, it's getting past most solutions somehow). It's not something I'd recommend the average person, but for people who care enough to fiddle, it's still the best way.
I think since my first Android (HTC Desire Z/T-Mobile G2) I spent a total of 1 week on stock, never was a fan of any of them.
Largely depends on your priorities and level of effort.
You can bypass all current app checks using Magisk and Play Integrity Fix, but it's a bit of work to maintain and can break occasionally. You gain in this case full control of your device like a desktop OS, block ads, modify app behavior, disable unwanted system features, but you have to put in effort to maintain it.
However if you don't want to deal with that, you can also just not use those apps, use it like you would a Librem or PinePhone, load primarily open source software to it, optionally don't even bother with play store, etc. Might not be for everyone, but if you don't care that much for Google Wallet or multi-player games on your phone, it's not a bad option.
I have it on my Pixel 7a, and it's a great experience, but I also don't need to run apps that check for phone "security" or integrity. This is the case OP is talking about.
If they mandated discord as a closed support community sure, but you can't be too upset by the mere affiliation with a discord channel when they also offer all the above
If I remember correctly, their matrix channel was flooding with spam and abuse which was primarily coming from Calyx, which by the way is an terrible OS. Even a stock OS would perform marginally better in terms of security than CalyxOS
The website is built with Next.js and deployed on Vercel.
It's so fast because Next and Vercel do a lot of smart optimizations with the code and the images.
Also, because the screenplays are not stored in the database, just one large local json file, so the server doesn't have to make an extra request to the database.
Very true, and it does. But there are fortunately still plenty to enjoy (as well as plenty of pleasures outside of games!). I mean, just chess and Geometry Wars are enough for a lifetime.
Also, it's easier for me to stomach/look past the ideological biases in stuff like FPS and action adventure games, because they tend to largely be right out in the open on the surface narrative / world-building layers. For example, if you don't like the Guardian feminism of Horizon Zero Dawn or the jingoism of CoD, you can just kinda ignore those aspects and enjoy the mechanics, art, exploration, etc - or at least I can. Vs. the bias black box of simulation games
Ah yes a game that reinforces that lowly peons should be sacrificed in battle so that the 1% can come out on top. No possible conflicts in morality there /s
