Related
hi crew,
I couldn't seem to find the answer or a logical breakdown on this topic and so I wanted hear from the folks here at xda. I'm relatively new and just learned about this website last year while I was searching for things to do with my HD2. I used to flash all kinds of stuffs on my phone and really enjoy it. However, I moved on to the Sensation, touchpad, kindle fire, and Dell 7.
except for the touchpad (cm7), I'm keeping everything else stock and unrooted. This year alone there were several incidents with security on android platform .. Skype, malicious apps on market and forums, and I believe there was also ISSues with custom roms for folks in China. I guess my question is .. How easy is it to include a malicious coding into a custom Rom? If a developer/chef can modify just about every aspect of this platform then I'm guessing it won't break much sweat for them to include these spying coding into a custom Rom?
don't get me wrong because I truly believe that 99.999% of developers on this forum is dedicated and passionate about giving us the ultimate user experience. But if you look at the math, it only takes 1 out of every 100,000 and that's enough to create fear in many of us. Is there a way for users (common users) like myself to determine if there is something else coded in a custom Rom? Would it help at all to protect our privacy with an AV?
of course, one answer to my question is to avoid custom Rom! But yet, with the recent news about carrier iq even with stock you are still being monitored. Since I'm not a developer and have very limited knowledge about this area, I just wanted ask the questions here to hear inputs, suggestions, and opinions from more experienced users (and perhaps developers if any). Thanks!
.
Thread moved to Q&A due to it being a question. Would advise you to read forum rules and post in correct section.
Failure to comply with forum rules will result in an infraction and/or ban depending on severity of rule break.
qdochemistry said:
How easy is it to include a malicious coding into a custom Rom? If a developer/chef can modify just about every aspect of this platform then I'm guessing it won't break much sweat for them to include these spying coding into a custom Rom?
Click to expand...
Click to collapse
Very easy.
qdochemistry said:
Is there a way for users (common users) like myself to determine if there is something else coded in a custom Rom? Would it help at all to protect our privacy with an AV?
Click to expand...
Click to collapse
It depends. You could use an antivirus, but they mainly just scan your apps, media, and settings; so if the malicious 'thing' is directly built into the rom, it will not be detected. If it was an app (or in one), then there is a chance it would be detected.
Thanks .. that was indeed my thoughts but since I don't know much about coding or "cooking" and so figured I'd would ask. XDA is a great community but it is a scary thought having to think that our privacy with custom roms is entirely relying on the "honor code" of developers. I have not read about anything isolated incidents with infected ROMs, and much less would something like that happen here at XDA. I hope I am correct with the assumption that ROMs being released here are somehow being cross-checked by someone .. but I guess that would be a great amount of effort as too many ROMs are being released everyday on this site.
Again, there are many reputable developers in this community but just thought that I'd ask since it would only take one to ruin the effort of a million ... if anyone got thoughts or opinions feel free to comment.
Thanks for replying
I think that's a very valid concern. I am using a custom rom right now so this is also my concern.
I hope I am correct with the assumption that ROMs being released here are somehow being cross-checked by someone .. but I guess that would be a great amount of effort as too many ROMs are being released everyday on this site.
Click to expand...
Click to collapse
Well, I don't think there is anyone / any party responsible for checking the released ROMs given that the amount of work required...So what I do is to avoid dealing anything sensitive with the phone (even I was using Stock ROM). All this kind of stuff I will do it with my desktop where I feel I have more control.
lol .. same here .. on devices with ported ROMs I am quite careful as to what I do with it .. and on stock devices i do keep the number of apps to the minimal. But it's just sad being that way .. or may be i'm just paranoid!
Given the compromised found in Android recently and being something I've thought about quite a bit.
"Most" Roms seem to be very rarely updated and if you're using a provider like Straight talk you probably don't get updates anyways.
So, I'm quite curious how Security vulnerabilities are handled? I doubt the Roms are so different that they prevent these flaws from occurring. I'd have to imagine roms may very well introduce new ones.
My thoughts on what the community can do.
I'm not a developer and frankly I'm not into the loop as well as I can be. But, I typically use older phones that aren't getting the support the newer ones are. So, being in the loop of some stuff was never a big concern of mine.
Anyways, first off I'm curious about a security auditing group. A group that can go through the most popular roms of each phone and determine if there are any security concerns. Then this group can offer a label or signing of some kind saying the rom passed the inspection.
Roms like Hyperdrive that have a ton of unique tweaks. Well to me when you are adding and removing things I would naturally assume you probably adding security flaws about as much as you'd remove them.
Security and Privacy is a concern we all have. I imagine that's part of why many people switch to Roms as they remove certain privacy issues and security vulnerabilities.
But, honestly in the community what do we have that really tells us about the security situation of roms and what may be affected by recently discovered issues in Android itself?
Things can legitimately make a rom useless and even a concern to use if it's severe enough.
What about newer people coming in and they start using a rom that's affected?
Thoughts?
Your biggest issue is you can't look at the code for roms. All roms from OEM are closed sourced. All you can focus on is Aosp.
As for security. There will always be security issues. That is just part of a computer based system. That's why any one that is in the loop doesn't keep anything really important on a mobile device.
Hello!
Now, who am I, I am a dude who got sick of his android phone and decided to take the initiative!
Well, you see, many many Android users get sick of their phones, of the bloatware by the manufacturers and their user interface, we got tired of not getting the updates and falling back!
So what do we do, we root and probably install a Custom ROM, pretty good eh, android is about choice after all!
So, what happened..I tried doing the same, didn't get satisfaction from the ROMs available for my phone, and now I am stuck
As they say, if you want something done, do it yourself, which is why I decided to take upon myself the responsibility of making a Custom ROM for the user, I want to leave the source code out there, for everyone and anyone to tinker with it and port it to his phone, and I wanted to create the ROM the Android master race deserves...created by a user for users
You might think "This is all wonderful, but where do I come in?"
You, sir, are the user, you are the one this project is created for, and I need your help
I need you guys to help me create this ROM, I need you to tell me what you want to see in that ROM (Marshmallow), I want you to tell me what features are needed and what features are desired, what do you guys think Android M lacks and what shouldn't be touched, what should I improve and what should be left alone, I need your help to make something you would want to use.
HEY, ANDROID IS ALL ABOUT CHOICE AFTER ALL, AND I WANT YOU TO MAKE THE CHOICE!
P.S.:If you could name your phone, what UI or CustomROM you're running (or any CustomROMs you have used before) and tell me what features were implemented there and I should recreate or improve, the pros and cons of your ROM
P.S.S: I know I am asking for too much here, but as you might have thought, this looks like lots of work.
If you are interested in helping or being part of the UberROM project (name subject to change), tell me here, if you're a dev with experience on porting ROMs and tinkering with the AOSP, let me know, I could use all the help I could get!
Thank you!
i am buying a new phone, the S8+ to be exact, and there have been a lot of new developments (problems) when it comes to rooting your device. i've been rooting my smartphone devices for over 10 years because i love the freedom it brings (er, brought). Now i read things like Netflix, Snapchat, and AndroidPay not working on rooted devices. So i am wondering what people's experiences have been like. Any regrets? Are the trade-offs worth it to you? Is it worth being able to uninstall bloatware and install custom ROMs if a lot of other features and apps will stop working? i know most of this is personal preference but would like to know more about what other people have experienced.
billybag said:
i am buying a new phone, the S8+ to be exact, and there have been a lot of new developments (problems) when it comes to rooting your device. i've been rooting my smartphone devices for over 10 years because i love the freedom it brings (er, brought). Now i read things like Netflix, Snapchat, and AndroidPay not working on rooted devices. So i am wondering what people's experiences have been like. Any regrets? Are the trade-offs worth it to you? Is it worth being able to uninstall bloatware and install custom ROMs if a lot of other features and apps will stop working? i know most of this is personal preference but would like to know more about what other people have experienced.
Click to expand...
Click to collapse
First and foremost, if you plan on getting a US variant, meaning it will have a SD835 in it, Root is unlikely to come soon for it, This doesn't mean it won't happen, just not soon. Now if we're talking international, the ones that ship with an Exynos in it, they're rootable now.
Now, with that out the way let's get into the questions you've asked. There will indeed be a selection of apps that will not work when rooted these days because of "SafetyNet" check failure. Some of the biggest would be Snapchat and Android pay, However they will work with the assistance of Magisk which will allow SafetyNet to pass it's check, Same goes for most apps that fail to work because of root presence.
Heading back to what I first mentioned now, Rooting a Samsung device of recent years comes with some pretty notable cons to it, These would include loss of KNOX, I'm not sure what your stance on security is but if security is a concern to you, losing KNOX is not good. Another big and notable con is you will lose all Samsung pay support permanently, Actually to be honest both of the latter are permanently lost once rooted. If these things aren't a concern for you then by all means root away.
On to other things now, Rooting these days doesn't present as many attractive things as it use to, especially on a Samsung device. Most OEMS have given alternatives to many of the things a user couldn't do without root before. Currently there is no Xposed on Nougat and above, it's being worked on but there is no foreseeable date that can be given on when it will be completed.
So all in all, Until root is achieved for the Snapdragon variants, I'd hold off on a purchase of an S8. If we're talking Exynos variants then by all means get one, as I've said they're rootable right now. But don't let that be the ray of sunshine, though they're rootable, They're in infact an Exynos and Samsung is unwilling to provide source code to their Exynos chipsets. Which basically means to you that custom ROMs will be limited to rehashes of the stock ROMs with a couple mods if possible, AOSP such as Lineage and others like it are next to impossible to happen on Exynos without​ a source code to work from. It has been done before but the resulting roms took a long time to develop and either were extremely buggy or were just simply not usable for daily use.
I'm pretty sure I've hopefully covered every aspect I could but if you've got any more questions I'll surely answer them.
I apologise for this being so long lol.
Perfect. Thank you, this helped a lot.
billybag said:
Perfect. Thank you, this helped a lot.
Click to expand...
Click to collapse
Glad I could help, Again sorry it was a lengthy response but it was necessary to cover all of it.
Hi everyone,
I can't find a satisfactory answer on my favorite search engines, so I thought I'd come here and ask. Sorry if this question has already been put on the table, carved, sliced and gobbled, I couldn't find trace of it in the forum's search engine either.
My phone's a Leagoo T5c that will forever be stuck on Android 7.0, it seems, because the OEM has already lost interest, and because its SoC makes it difficult, if not downright impossible, to find a suitable custom ROM.
The latest ROM I could find and install on this phone goes back to August of 2018 (no-no, no typos), and its Security Update is even one month older (July 2018).
My question is in the title: Is it possible to install Security Updates without reinstalling/updating/upgrading the firmware itself, like you would in, say, Windows or any other OS, I presume?
UglyStuff said:
Hi everyone,
I can't find a satisfactory answer on my favorite search engines, so I thought I'd come here and ask. Sorry if this question has already been put on the table, carved, sliced and gobbled, I couldn't find trace of it in the forum's search engine either.
My phone's a Leagoo T5c that will forever be stuck on Android 7.0, it seems, because the OEM has already lost interest, and because its SoC makes it difficult, if not downright impossible, to find a suitable custom ROM.
The latest ROM I could find and install on this phone goes back to August of 2018 (no-no, no typos), and its Security Update is even one month older (July 2018).
My question is in the title: Is it possible to install Security Updates without reinstalling/updating/upgrading the firmware itself, like you would in, say, Windows or any other OS, I presume?
Click to expand...
Click to collapse
With android 10 were introduced Google play security updates that lets you received security updates (not all of them unfortunately, some requires to upgrade) without updating the full OS. You can't do it because you're stuck with the wrong Android version
Hopefully you won't have any issues with hacking but consider buying a new phone when you'll get a chance
Security updates get rolled out as OTA by OEM/Carrier if they consider it's necessary. You can't force it. Theoretically, all Android smartphones should get around two years of security updates. However, the reality is often very different.
The Leagoo T5c is a small-budget phone what was sold for 99 USD - so more or less a disposable item. You cannot expect OEM/Carrier to have any interest in providing updates for such a phone.
Thank you both for your explanations. I understand that Android works differently when it comes to updating itself, mostly because Google isn't the only party to have a voice in the chapter; still, it's unnerving to see that the end-user is more or less captive anyway.
It kinda defeats the very purpose of an open-source OS, to have to wait for an OEM to release (or not) an update, when you could install the patches yourself.
As for buying another phone, well, as soon as I've got the dough, I will, believe me. Not because I'm dissatisfied with this one, but because I don't like the idea of totting around with a phone that hasn't seen a security update in over two years.
I'm also seriously considering moving to Ubuntu Touch, though there again, my phone's exotic platform could be problematic. Custom ROMs seems to be as complicated an avenue as others, too.
All in all, Android isn't what they sold me: It's not secure, it's not "free", it's just another way to make you shell out bucks for new hardware every couple years.
Android is just iOS without the eye-candy, you ask me...
UglyStuff said:
Thank you both for your explanations. I understand that Android works differently when it comes to updating itself, mostly because Google isn't the only party to have a voice in the chapter; still, it's unnerving to see that the end-user is more or less captive anyway.
It kinda defeats the very purpose of an open-source OS, to have to wait for an OEM to release (or not) an update, when you could install the patches yourself.
As for buying another phone, well, as soon as I've got the dough, I will, believe me. Not because I'm dissatisfied with this one, but because I don't like the idea of totting around with a phone that hasn't seen a security update in over two years.
I'm also seriously considering moving to Ubuntu Touch, though there again, my phone's exotic platform could be problematic. Custom ROMs seems to be as complicated an avenue as others, too.
All in all, Android isn't what they sold me: It's not secure, it's not "free", it's just another way to make you shell out bucks for new hardware every couple years.
Android is just iOS without the eye-candy, you ask me...
Click to expand...
Click to collapse
Android isn't iOS precisely because you can break free from your OEM by flashing a custom ROM. You can develop one for almost any device as long as the OEM releases the kernel source code. And most OEM do (expect for some very unknown phones).
Custom ROMs like GrapheneOS are made to free you from google Services and are truly privacy oriented. And all of that is possible because Android is open source.
Trust me, the Android community has always worked actively to counter aging of their devices (including me).
Just buy a phone with a solid community behind and you'll be able to keep it up to date a looong time
Raiz said:
Android isn't iOS precisely because you can break free from your OEM by flashing a custom ROM. You can develop one for almost any device as long as the OEM releases the kernel source code. And most OEM do (expect for some very unknown phones).
Custom ROMs like GrapheneOS are made to free you from google Services and are truly privacy oriented. And all of that is possible because Android is open source.
Trust me, the Android community has always worked actively to counter aging of their devices (including me).
Just buy a phone with a solid community behind and you'll be able to keep it up to date a looong time
Click to expand...
Click to collapse
I agree with you in principle, but if I must take an example: I have this Early 2006 MacBook Pro with a Core Duo CPU that precludes me from even installing Mac OS X 10.7 "Lion" on it, because the CPU is 32-bit-only, and Lion requires a 64-bit CPU.
The machine itself works very well, albeit a bit slowly, but then it's got only 2 GB of RAM and a 120-GB SSD. When I got fed-up with OS X applications not updating/upgrading and Firefox addons not installing because my copy of Firefox was too old, I partitioned the SSD, installed rEFInd as boot manager, and installed Zorin 15.2 (now 15.3) Lite 32-bit.
I now spend more time on the Linux side of this Mac than on the OS X side, and updating/upgrading it is a breeze, either via the dedicated application or in Terminal. I know there'll be an end-of-the-line there too, someday, but at least I'll keep using this Mac until it truly dies on me, not when Apple tells me it's dead.
This, for me, is the very essence of open-source: Not just the fact that it's free, but that you can revive an old machine and keep it running long after Apple et al have decided that it had gone the way of the dinosaurs.
The same doesn't apply to Android, alas. Here, you must have a compatible SoC/chipset/what-have-you, a Treble-compatible device, you must have this, you must have that...
In the end, only a fraction of Android users really get to enjoy everything their device has to offer for as long as they choose; the others just pop into the nearest phone store, be it brick-and-mortar or cyber, and must produce their credit card.
My question was as much a challenge to myself as anything else. I would really like to learn how Android works, but the tutorials and articles I've found here and there are all a bit cryptic.
That's why I'm regularly prowling this forum, I guess.
"Hunting high and low", as the song goes... :laugh:
yep, good question but google & manufactures are in it for the moola not the users 2 yr old phone.
hiitsrudd said:
yep, good question but google & manufactures are in it for the moola not the users 2 yr old phone.
Click to expand...
Click to collapse
Don't I know it! It's true that even budget phones have decent specs nowadays, still, why dump a perfectly functioning phone simply because you can't update/upgrade the software?
I understand Google's rationale, of course: They invest tons of money year after year after year to keep the whole boat afloat, and they need a steady income. OK. Still, to not be able to keep your phone ***safe*** is a no-go for me.
I'm seriously beginning to think about installing Ubuntu Touch on the device. I think I'm going to try that next weekend.
I'll probably come back here with my eyes red, asking for help in unbricking my phone, though.
Stay tuned! :good:
A followup, if you are mindful of your own security it's conceivable to get more usage of that android. I don't use a banking app, but if need be use a good browser( thats updated of course) And update all often used apps via playstore. I'm still running Oreo on my phone. FYI you iOS ppl need to do critical updates asap