Comment by Elfener
1 day ago
I like the android way of security, where "rooting" your device to install updates is insecure, but using a horrifyingly out-of-date android (because your manufacturer, the only one who can update your device, didn't bother) is secure.
It's because "security" is not a user one, but a security of Google Play Services.
As rooting may tamper the google's telemetry (can we already call it "spying" please).
Not to mention, play integrity is being used a some sort of "anti cheats" by bank apps and other essential services. Even some government apps in the EU, essentially forcing you to be spied on by google.
The worse part is that, you can do all of those functionality with a browser on linux (or Android), yet to use them as Android apps on a device without gapps (even if jt's not rooted and with locked bootloader) is not allowed. Make this make sense.
> Even some government apps in the EU, essentially forcing you to be spied on by google.
The same in India. I can't use even the government weather app and the disaster alerts app without signing in to google play.
Seeing that this malpractice (of forcing the users into Google's surveillance net) is widespread among seemingly unrelated agencies like banks and government agencies of several nations, I would really like to know who is peddling this draconian scheme among them.
I want to send some angry rants to the app owners/developers and ask for those malicious peddlers to be permanently banned from further interference in cyber security matters of these institutions.
10 replies →
> The worse part is that, you can do all of those functionality with a browser on linux
This isn't true, actually. Banks and gov entities use those mobile apps as authenticators. They do have a distinct purpose.
5 replies →
The reason this happens is because big companies get their software pen tested. Part of the pen test report will include something like “accessible from jailbroken devices.”
The pen test results get put into the ticket system as immovable entries. Engineers will question them, only to be shot down by the cyber security department who organized the pen test. The engineers will eventually accept that they cannot convince cyber to drop the issue, and implement the jail break detection.
Why does cyber mandate it? Because no one in a large company wants to accept the risk, even imaginary risk. They want to be able to say, when security is breached, “we did our due diligence. Look at the report, we implemented everything in it”
Why do firms offering penetration testing keep putting junk like this into their reports? Because their automated tools list them out and they’re getting paid to find issues. The more the better.
It’s insane and entirely about passing off risk.
> Even some government apps in the EU
The Dutch ID app got rid of all trackers and such requirements last year, but they didn't go the full length and made an F-droid repo (or a government store or sth).
Google actively guiding developers to APIs like the Play Integrity API (which requires not only you register the phone with Google on a Google account, but also an untampered device, outdated or not.
I don't even root my devices, just using something like Lineage already gets you the basic-integrity Max. Not enough for many banking apps.
There was a time when we did call it spying. Programs that had what we would now call telemetry used to be called spyware.
The term has fallen by the wayside and hardly ever gets used nowadays.
We just call it "apps" now.
That's a very good observation
It's the security of the ecosystem, where the interests of app vendors are fundamental: content distributors can count on enforcing DRM, and banks are relying on the camera used for KYC actually being a camera and not a virtual device.
It's about keeping google's device secure *from* the user.
Just accept being spied on, it’s not as if there are genocidal billionaires out there.
I think you had the wrong idea on security here, the security is for the device manufacturers benefit to obsolete the hardware and force you to buy a new one not for your benefit. All the data is already being shipped off to where the hell ever for building models of you for advertising and more.
Android does have a meaningfully improved security over typical Linux desktop: the segmentation of data between apps. Imagine what would happen if people run all the proprietary crap they do on a typical Linux box. That's multiple spyware apps with full filesystem access.
Unfortunately, Google also uses it to abuse the user by also segmenting the user's access as well, "protecting" apps from the user, which is an abomination.
We have Flatpak/bubblewrap that can accomplish the same sandboxing on the Linux desktop, with no need for clumsy hacks like app-specific user ID's.
And yet, I keep all my important stuff on my Linux laptop and not on my phone. There's maybe a lesson here that security is also about trust.
Me too. But you have to be a lot more careful about not running proprietary crap on the desktop, which is easier to do than on phone. Ever been forced to install some crap for some event/business/etc?
2 replies →
The whole security of both Android and iOS is a joke at this point. We know now that plenty of apps/games have proxy services built in, allowing the publisher to monetize their users, by selling proxy services to AI companies. If that can happen, with all the "security" those platforms and store supposedly offer, then I fail to see the point.
We're being prevented from installing and updating software on the devices we own, but Google and Apple will happily approve and sign malware in their stores?
They’re one in the same. You can’t exploit privilege escalation vulnerabilities unless you are vulnerable to them!
Android devices are enraging. ARM in general, why is there never a boot loader?
I have a little Android handheld game device that will allow me to dual boot a Linux from SD quite easily... but why can't I overwrite the existing install? I thought Android was more open and hackable than that.
Well there is a bootloader - on Qualcomm its even UEFI, but you don't have access to it.
https://worthdoingbadly.com/qcomxbl/
That's somehow worse. Good for them that they made it convenient to launch their software on the device I paid for.
I've got an Anbernic RG353M, came with a dual boot as you've described. I completely wiped it and only have ROCKNIX on there, a minimal distro based on LibreELEC, I believe. I actually maintained an Android + ROCKNIX dualboot at first, but it breaks the sleep function for some reason, and the ROCKNIX docs for this device say to remove Android, so eventually I did. I didn't actually use the Android side but had kept it around just in case before.
Not all these devices have the same level of support, so do your research on your model before trying to overwrite the install.
I went with a Retroid after seeing articles about people booting ROCKNIX on it. And one can, from SD. But I did not do enough research to see there was no documentation on writing Linux to the internal storage.
I'm so tired of doing research. I'd just like it to be a functioning BIOS. I at least learned my lesson and have stayed clear of other Android devices.