Your increased trust in these stores is motivated by .... what governance and audit structure?
yes, its a devils-advocate position. You might (for instance) have high trust because you know them from hacker traeff you've been on, f2f. I can't have this a-priori knowledge.
From here, this looks no better than "trust google" and in some dimensions looks significantly worse. Of course for the primary goal of "distrust google" it works very well.
(well done btw, its a good, complete list, and has apps I think I too would put on my need-list)
F-Droid is attempting to support reproducible builds--if you have a Debian system, you should be able to re-build the same .apk, or at least a similar enough .apk that the original package signature still passes.
That said, by my quick count, only about 18% of the F-Droid packages are reproducible right now.
F-Droid doesn't package Binary drivers. They don't package drivers altogether, and they don't package anything they don't compile. They used to package upstream Firefox, but they don't seem to do that anymore.
They don't package upstream Firefox, but you can get GNU IceCat Mobile (which is the GNU fork of it). And they also package Firefox Klar (which is the European edition of the "always incognito" version of Firefox they released last year, with all the telemetry disabled).
Firefox Focus elsewhere I think? I really like the concept, I've made it the default browser for opening links and switch to Firefox mostly just when something doesn't render properly (scripts blocked perhaps?)
Google: track every detail of your life and use it to serve up ads that support their bottom line. Implements changes that serve themselves at your expense.
F-Droid et al: build cool open-source software cause they like cool open-source software. Implements changes because they make the software better.
I understand you're frustrated, but there are a lot of us at Google who are also just trying to build cool open-source software, and in cases such as mine, building it so that others can use it to build even better things with less work. =(
But you're still there to make Google more money. What do you do when they tell you to build a feature that's supposed to Extend and Extinguish? I'm guessing often you wouldn't even really know.
>Google: track every detail of your life and use it to serve up ads that support their bottom line. Implements changes that serve themselves at your expense.
I think you're missing the part where a user benefits from their services.
I mean, it's not as if users get nothing out of this arrangement. The vast majority of users feel they're getting a good deal. Just because you don't think it's a good deal for you, don't impose it on others.
I feel that, for the most part, what google offers is fair enough. There are some instances, however, where they completely ignore the needs/desires of their users though.
Google Home Page and Reader are the big two... both extremely popular, and plenty of opportunity there. Hell, at this point, I'd like to see Google offer a website similar to what I get on my phone's new tab screen now (articles of interest). I find it hard to actually trust any google services beyond search and gmail (only hoping they don't nix gmail without a LOT of notice).
Cons: You end up in Apple's high walled closed source garden. And have to deal with whatever they remove from the next iteration of the device based on their whims and fancies. And the exorbitant price tag.
> You end up in Apple's high walled closed source garden.
Google’s ecosystem is just as negative as apples walled garden. If you want, you can build and sign your own apps and put them on your device on an iPhone.
> And have to deal with whatever they remove from the next iteration of the device based on their whims and fancies.
I presume you’re talking about the headphone jack, which google followed up by removing from their pixel phone 12 months later? Why does apple get the hate here and not google?
> And the exorbitant price tag.
An iPhone 8 is £699 new right now, and a pixel 2 is £629. An 8 is £48 a month, and a pixel 2 is £53/month on contract (I’m sure there are better deals but I’m on a phone) - it’s disonfeuous to call apple out for having expensive Hugh end devices when the google equivalent is just as expensive.
"Google's ecosystem" is Android, not just their overpriced pixel phones, so Google get hate in some quarters for losing the headphone socket but it's not an Android thing. You can pay a few hundred pounds for a perfectly good Android phone and run as-is or replace with a true open source alternative, with headphone sockets (so no need to turn your lossless files into a streamed lossy mess courtesy of Bluetooth). I pay £9 for 4 gigs of data. In no way is Apple anything like at parity with Android here. With Android you choose what you pay and what you get. I'm bored of phones and apps now, so I'm out of the "spend a grand every two years/£50+ a month for an average camera and the ability to choose to install about 15 of the 17 million apps out there" game but if that's your thing there's a phone for you. With a headphone socket.
> If you want, you can build and sign your own apps and put them on your device on an iPhone.
HA! Sure. For $100 a year. And from a Mac.
> I presume you’re talking about the headphone jack, which google followed up by removing from their pixel phone 12 months later? Why does apple get the hate here and not google?
Because Pixel is not the only choice one has inside the Android ecosystem, as opposed to iOS one? Samsung, Sony and others still have the jack afaik.
I agree with you about price though. Apple is no more expensive than others (considering the quality of build).
If they can prevent it Apple will of course not allow you to run any pirated app you want. That’s the flip side of being on the platform where developers actually earn money.
> Off topic. Using F-Droid, you don't need to touch Google's ecosystem.
Absolutely. I still don't get why I can't compile and deploy my own apps on my own devices without paying Apple $99 a year.
I thought it was really cool that you can deploy apps you compile yourself on your device out of the app store without paying the $99 yearly fee but apparently that's not the case.
> There are three levels: $300/yr for "enterprise" allows you to deploy your app on a large number of devices within your organization (and the terms of service are very explicit that the devices must be under your control: not even for testing by a customer at an off-site location unless you are overseeing), $100/yr for an individual or company normal developer license that lets you install your app for testing purposes on up to 100 of your devices for one year (after which point the apps expire and you have to reinstall them), or $0 for truly "free" provisioning (no yearly fee) which lets you install up to three apps (total; not per account: across all free accounts any device can have only three such apps) on a device using a slightly limited set of APIs (for example: no VPN support) which expire every seven days.
> Clearly the free tier is pretty worthless in the grand scheme of things, and being able to write software for you but not being able to legitimately give it to anyone else not also paying the $100/yr "please let me own the piece of hardware you sold me instead of renting it" tax is not really acceptable for people trying to learn to write software as a big part of software is being able to give it to other people. In practice, though, a lot of people are seriously only learning to develop so that one day they can pay the full Apple developer tax and deploy their apps to the App Store under the Apple software approval process, and so it works out: like, to them, software development is all about writing software for Apple hardware under Apple's rules, and that's what Apple wants anyway. The entire scenario makes me feel a little sick: this shouldn't even be legal as far as I'm concerned.
> I thought it was really cool that you can deploy apps you compile yourself on your device out of the app store without paying the $99 yearly fee but apparently that's not the case.
It's the case as long as you manually recompile them once a week when the code signing cert expires. It is deliberately impractical to actually distribute apps this way.
so you know what all the google play services are doing on your phone? You can compile apps from source and put them on your own phone, you just cant distribute your own compiled apps without a paid developer account.
Ah, got it, that's unfortunate. I remember some time ago, Mozilla said that they wouldn't put a browser on iOS unless it could use Gecko. When I saw the app I assumed that the restrictions had changed.
This is exactly what we mean when we say closed garden and extortion. If firefox wants to exist on the platform, they have to play by apple rules. Apple are just fine without firefox so they don't care.
Mozilla has done the best they can, given the restrictions imposed on them by Apple.
This effectively means that Firefox on iOS has no support for extensions or addons like on Android... Because Apple and Safari doesn't allow that.
It's definitely not what people have come to expect from Firefox over the years, but at least I get to seamlessly sync my bookmarks, history and passwords with my desktop browser of choice.
Apple iPhone: mostly works as long as you agree with the Apple way of doing things. No alternative web browser for you, no expandable memory, no 3.5mm jack if you want a recent device, no full control over your device. Very limited choice of hardware from a single supplier. Expensive hardware, this mostly related to the issue of there only being a single supplier. Hardware also with well-documented problems which tend not to be solved [1].
You need to trust Apple. What makes you think you can trust them? Remember that Google started life with 'do no evil' as their motto, people tended to trust them as well. Lately, not so much anymore.
If you don't feel these issues are valid or think they don't matter Apple can be an option but it does not make sense to portray them as the solution which 'just works'.
The real problem is that you can't get a phone [1] which can run upstream kernel. So while there's postmarketOS and Replicant (both trying to port regular Linux (for lack of a better word[2]) to phones), very few phones work properly (and most are fairly old and not sold anymore, IIRC Replicant's newest phone they support is the European S3 - guess how old that thing is).
So now, for each device, you have to port desktop Linux [3] to whatever generation kernel it came with.
Debian, in contrast, can assume that you're using the standard modern kernel.
[1]. I mean that it should work as a phone, not just a small tablet. So if it can't make phone calls, it ain't a phone. All the more so if you want a working GPS and Camera.
[2]. I would have said Gnu/Linux but postmarket is based on Alpine which is based on busybox/muslc and not gnu.
[3]. Anything which issues syscalls is fair game, so, for example, if your oldest phone you want to maintain is six years old, then you have to back port every single program (and library!) to work on a random seven year old kernel.
Even back porting android user space (which is mostly Java and doesn't interact directly with the kernel) is a huge pain (and sometimes is actually that hard that the maintainers just give up). Porting back Debian?
postmarketOS tries to bring a desktop-style, Alpine-based Linux distro to mobile devices. It has some level of support for relatively recent (~2015) devices, but there's still a lot of work to be done.
Replicant is working on creating a fully free software distribution of Android, rather than trying to provide a desktop-style Linux.
Porting programs isn't generally a huge deal. Most devices on postmarketOS currently use the old downstream kernel, and most things run fine on it.
The main problem is that a lot of peripherals require closed source drivers and firmware. For instance, very few devices have support for hardware-accelerated graphics or wireless connectivity, both of which are necessary on a mobile device.
Purism is planning on fixing that[1]. The funny thing is that we've actually reverted backwards, you could install a Debian-based distro on the Nokia N900 -- not really possible on newer phones (though you do have stuff like Ubuntu Phone).
Speaking of Ubuntu Touch (aka Ubuntu Phone), it should be noted that though Canonical shut down support for it, a community of people calling themselves UBports are keeping the project alive.
I recently bought a Nexus 5 for the purpose of running Ubuntu Touch. It arrived yesterday and I look forward to try Ubuntu Touch on it.
I miss my N900 so much and for so many reasons. Unfortunately all of mine had abysmal build quality and fell apart after a few months. A friend of mine kept repairing his for many years -- maybe he still uses it.
But a huge part of why I liked the N900 was the physical keyboard. What is the puri.sm stance on that?
A lot of the issue is that most devices have poor, if any, mainline kernel support. That means you have to rely on the downstream vendor kernel, which is almost always hopelessly out of date. (For instance, the downstream kernel for my OnePlus One is at 3.4 from 2012.)
Besides just being out of date, the vendor kernels require binary drivers and Android-specific services to use a lot of peripherals. For instance, the graphics driver Freedreno is compatible with my OnePlus One's GPU. However, Freedreno isn't compatible with the version of KGSL that the downstream kernel supports. That meant that my only options, if I wanted hardware-accelerated graphics, were to use Halium or mainline my device.
That's not even getting into bringing up WiFi, LTE, and actual phone capabilities, which are still a ways out as far as open source software is concerned.
really. we are back to being limited to one OS because of drivers.
this is also the reason lineageOS and other android roms can't just keep updating older phones to new releases. they need the oem to upgrade so they can extract drivers from the binaries.
I bet that this isonly possible because someone got the drivers for display, touch, camera, radios, etc, ...in binary form from the last oem image and put in the new one. sometimes they will backport the last kernel from android 5.1 into a 6.0 image so the binary drivers still work
I had a S2. It died on October 2016 after 5 years of good work. It still has some good points against more modern phones but I won't recommend to buy a refurbished one now. I won't trust the hardware to last much longer.
Canonical made some attempts at a mobile Ubuntu (which is a Debian derivative) but they have a short-sighted vision and in general they have a history of failed attempts at similar projects, like Netbook Remix.
The problem is primarily hardware support with two issues:
A lot of hardware support on these devices is proprietary in some way. Mostly proprietary firmware, some proprietary kernel drivers and some proprietary userland daemons or drivers.
Most hardware doesn't have support in the mainline Linux kernel, u-boot, mesa etc.
These are improving slowly as people do reverse engineering of proprietary components and the FLOSS enthusiast community does the work of getting hardware support mainlined. Some vendors also do mainlining work too and some employ folks to work on FLOSS drivers (Broadcom RPi VC4/VC5 for example).
Both the Android and Apple app stores have become so riddled with race to the bottom crap that I trust them much, much less than the wild west of old when there were no stores at all, and you just grabbed exes from random websites or BBSes.
I dont trust anyone working with debian or google.
but debian I can be sure if someone saw a bug/malware happening or in the source, I'd benefit from that. with closed systems the source option is gone. also nobody can report a ISP MitM the binary packages because no one knows the actual build output.
so, trust noone, but acept that open source gives you an edge. always.
I run a similiar setup for almost 1,5 years. LineageOS 14.1 with f-droid "store"; syncing contacts and calendar with davdroid over nextcloud; also switched search to duckduckgo (on desktop, too) and I really don't miss anything. Another advantage of missing Google play services on my now 5 year old phone is, that the power last two times longer than before. A google service free phone is absolutely usable in my opinion and I can recommend this to anyone who does not want to share all its data with google.
Some word to the play store problem: I've heard of so much malware and fake apps there, that I don't think the trust is less for an open source community. To install any proprietary apps, I can recommend yalp store, which uses the play store.
It's interesting to see how much apps depend on google services and the only trusted source is the google play store, which requires a google account (which I don't have). At this time any request on providing google free apps are ignored or denied with google play being the only trustable source for android. I don't think that this is true, at least not for people with some technical background.
How do you find it when communicating with people who don't share your ethos, say those heavily invested in Whatsapp, or another platform to which there is no F/OSS compatible client.
The topic was more on google free, than FOSS. To go fully FOSS, you have to walk some extra miles and just don't use these services. I don't, so in the case of WhatsApp, you're lucky because they offer official apk (https://www.whatsapp.com/android/) and have an autoupdate function. As mentioned, the backup service has do be done manually. As I said before, for other proprietary Apps, you can use p.a. Yalp store, which downloads apks directly from play store. There are of course some Apps, that fully depends on play services, which I cannot use. MicroG is no real alternative, because it still communicates with Google service AFAIK.
For who ever is interested.... I live in China and have lived in a "google free" microcosm for some time forced on me by the government. Generally do not miss anything at all - at least I dont miss anything i dont know about.
FTR i dont game or media watch on my phone. For me a phone is a mobile device for getting things done when im not at my desk. I use a Blackberry DTEK60.
The apps I use:
APKpure for getting apps - great selection and its fast. But you do need to know which ones need GPlay Services before downloading.
work : Blackberry Hub - use this for work and service integration. Simply the BEST bar none - and yes I am huge fan of BB devices and yes i do/have owned and used everything else.
email : MailDroid - for personal email.
photos: Simple Gallery - photos
txt: YAATA - sms/mms
pCloud: cloud storage
riot.im: messaging with a few friends and family + calls
T-UI: a power saving and very efficient UI for android
TurboClient: ftp client - fastest way to move files between pc/Mac and phone
Have loaded and will try some of the author's suggested apps as well. Im not anti-google, just need to have my apps work all the time whether im in Hongkong or China.
That's much easier in China because all the important local apps are obviously available without the Play store. Like banking, ridesharing, payment, etc. App publishers in the rest of the world always depend on Play store and it's a real pain for people with Chinese phones who're travelling/moving.
Good points. In China one needs only alipay & wechat and basically everything you need in life is covered....and I mean everything!
Previously i used the xiaomi store for apps on local phones, and phones bought elsewhere and it worked a charm - looks first on its own store and then has option to search elsewhere for the apk. Worked faultlessly for me until i decided to switch to APKpure because the signing in F-Droid and its occasional blocking became a pain for me.
I think you aren't missing anything because there's always a proprietary alternative, but unfortunately, for true freedom, very rarely an open-source one.
I was having the same issue. If you are fine with something more homegrown you can use gplaycli[1] to download the apks directly from Google Play. I use it in combination with rsync, but it should be possible, at least in theory, to host your private f-droid repository with the downloaded apks.
Unfortunately, this does not solve verification of the apk signature. As far as I understand it, Android uses something similar to "trust on first use" [2] with apk signatures, so verifying the signature before first installation should be sufficient for most people.
Great list! NewPipe is really good, far better than the proprietary YouTube app. K9 is also a superb app and holds up very well against the proprietary options. I have to recommend andOTP over FreeOTP, though, it's more featureful and does some important things like backups.
NewPipe lets me play audio of YouTube videos in the background, allowing me to turn off my display. While Google's official YouTube app stops the video entirely when turn off the display, and pesters me to upgrade to "YouTube Red" so that I can pay money to do what NewPipe already does for free.
Agreed completely on NewPipe. I have installed NewPipe, and it's not a case of me tolerating a second-tier app because I want something free. I actually like NewPipe better than the Youtube app.
I used NewPipe for a while and then switched to SkyTube - anecdotally I found it had fewer issues with higher-res formats and audio than NewPipe did. It uses the Youtube APIs though, so isn't as Google-free as NewPipe.
Anyway, worth a look if you just want to ditch the Youtube app.
I am adopting a different approach. It seems likely that I may not be able to de-BigBrother myself without tremendous efforts. There are all kinds of devils out there, why not at least sell the soul only to a single devil? So I am going all Google. Nothing else. I exclusively use all their products (even Google+). I don't have FB, Twitter etc. Google is the devil I have sold my soul to.
I do the same and with youtube as well. I bookmark video timestamps by leaving comments and liking videos to see if I've watched the entire thing.
I do the same with stackoverflow too(upvoting comments if it was helpful). Later i can browse my likes across many platforms to refresh what I was looking up.
Might as well apply data capturing to yourself and reap its benefits
besides everything else mentioned before, i feel like this is a double-sword situation. centralizing every aspect of your life into 1 company gives them a much more refined picture about yourself than if your info were scattared around with other companies.
I'm pretty much same. I don't like it, but I won't use anything else either. It's bad enough that one company has so much data. I kind-of like the analogy someone told to me at some point that I prefer to shoot myself once in the chest instead of three times to the leg.
Doesn't matter which drain you go down, they all go to the sewer!
Surely once Google sell your data, or access to it, then you're in no better position than of above else were selling it? Google release it into the wild, presumably, just like other companies do.
That's your problem. iOS Webkit has buggy scrolling behavior if you use fixed position elements or iframes. Unfortunately, Apple won't allow non-buggy browsers on their platform, so there's nothing you can do about it.
What you are describing was a problem with inconsistent scrolling behaviour, and it was fixed. On this site scrolling is just completely broken and it's dev's fault.
Interesting. Because with Firefox 59 for Android, both kinetic and inertial scrolling work as expected (just tested). Odd that it does not work for iOS Safari.
I don't know about this specific case, but mobile Safari versions have a history of doing special things like CSS position: fixed works entirely different on that platform.
Interesting article. You can add Hound as a surprisingly powerful alternative voice AI to Google Assistant!
I'd be curious to know if anyone has had any positive experiences with any of the non google/apple OS phones or if there is a comparison out there as I'm so fed up with that duopoly. Apple has terrible battery life and intentionally obsoletes their expensive equipment every year. Not to mention they rip off third party devs (its why theres no amazon store app). Googles design on the other hand is so bad it takes forever to figure out how to do something stupidly simple like turn a text message pic into your background or it even tries to kill you with a full screen text wall pop up on google maps when driving over a bump. You find the tiny dismiss and then... bump again...
I thought hound was dead? There was hype a couple years ago but have never heard anybody using it since. It's not nearly as integrated with IOT as Assistant or Siri.
Nice, I've also thought about moving all my notes and todo stuff to Org Mode.
I did figure out a way to sync org mode files between laptop and phone with low latency (unlike with Syncthing) running Unison inside Arch Linux inside Termux, using git to automatically merge conflicts. It's a little crazy, but seems to work? Maybe will do a write-up at some point.
Syncthing has recently gotten inotify support for lower latencies. These days I barely even notice any latency, actually. (Where previously it would depend on your scan interval, default 60 s.)
I used k9mail for awhile until I realized it had sent every temporary draft of an email as I revised something and changed between apps. Was super embarrassing. Hard to trust it now even though the ui seemed great.
Original author of K-9 here. I haven’t been involved in the project for some time, but my recollection is that any time we investigated this issue, we found that the issue was GMail displaying multiple drafts to the sender as having been sent, not actually sending the drafts via SMTP.
(That’s what the bug reference in a reply to this comment is about)
Yes I actually faced this exact bug myself a week ago.
What happened was - my mobile app gmail displayed my draft as sent (but actually I have already completed it and send it using desktop web app), but when double checked on desktop, it indeed actually send my completed email, not the draft.
I tried restarting the app/ refresh email threads, but it didn't fix the visual bug. I'm not sure if the bug is still present today as the email thread has been buried down and I couldn't care enough to follow up on it. I'm just glad it didn't actually send my draft when somehow the app displayed my draft version as sent.
Note that I'm not a user of K9, I'm just describing similar buggy encounter with Gmail desktop and its android app. I only noticed this that one time and just shrug it off due to me turning off apps auto update. Usually I only update manually when I really think I need to and after carefully reading each change logs.
I've been running LineageOS (and its predecessor Cyanogenmod) for 6 years now across three phones, currently a Moto G5 Plus. Have also set it up for several other people. Subjectively, the overall stability and quality has improved drastically in the past few years. It's almost certainly better than the stock build of Android on most phones. Performance and battery life is improved without Google Spy Services always running in the background. It feels great to run a (mostly) surveillance-free smartphone that answers to me, and only me.
If you do need an app from the Google Play Store in a pinch, Yalp Store gives you access to that, and most of them work well enough. For the occasional app that really needs Google Spy Services, I keep an older 'burner' phone around which runs the factory-default build of Android.
To be fair, it's tremendously difficult to even know what gets compiled in to the final package you get. Fun fact, Lineage, without GAPPS still phones home for network connection checks.
I'm curious about the battery and reliability effects of push notifications without FCM. Using a single service for notifications allows a single wakeup across the device when fetching notifications. Last I checked, the minimum interval for coalesced timers in android is 15m and that's just in time for most telco NATs in the US to have silently killed your connection.
[Source: I used to run a 3P push network on android]
Well I'm not sure how Telegram does it, but I get messages pushed instantly, it doesn't use Google spy services for that, and it's super low in battery usage rankings.
I might be wrong but isn't it simply about building a tcp connection whenever Internet is available or changes, and the server will push whenever there's something new? You don't need a single thing polling (which would indeed save power) if the server is pushing. Recently I learned that sleeping (power-conserving) clients are even part of the WiFi spec, so that an access point will hold onto messages for some time until the client is listening again. I assume this is just some ms, but still.
In my totally subjective experience, the reduced power consumption of doing away with Google Spy Services exceed whatever background drain I've suffered with 3+ apps doing their own messaging for notifications. My phone (Moto G5 Plus) has been off the charger for over a day now and is still at 65% battery.
As for reliability, I have notifications for email (using K9 Mail and IMAP idle), XMPP (Conversations), and Signal. Emails (using IMAP idle) always reach me within a second or so. Occasionally, Signal messages will take hours to reach me, but I suspect that's not a problem with the websocket connection to my phone, as others running Signal (on a Google-laden phone) have had the same issue.
That blog post is mostly just about the apps. Sadly we still have a lot Google services in use afterwards, like e.g. the optional location service which speeds up the GPS positioning, but those parts are much harder to replace :-/
Some time ago MicroG[1] was set to solve that problem, but I don't know how far they have come.
"LineageOS 14.1 without the Google apps" (from the OP)
Google apps/Gapps is what MicroG replaces. Gapps is an optional, separate install not included in LineageOS. Location services etc are part of that.
MicroG works well, I use it on one Android device and have another using LineageOS without either Google apps or MicroG. Both devices are extremely useful and capable and do everything I require, but I've never let myself become dependent on any Google services in the first place (despite having been a web dev for almost 20 years).
I've been doing this for 3-4 years. Most of the apps are what he recommends
A couple of other recommendations:
Try using amazon app store as they have some commercial apps and don't use google
KeepPassDroid - and use syncthing to sync
Skype (on amazon)
The two that I have problems with are uber which use to allow you to use their web interface and google maps replacement. I ended up with a burner phone after a while...
The Deutsche Bahn navigator mentioned in the article runs fine without Google Play Services. The only thing missing is the map view. And you can use yalp to install and update it.
I downloaded it from uptodown a few weeks ago and can confirm that it runs fine without google play services. It only gives you an error message on some occasions which you can ignore. However, I don't really trust uptodown. When I asked them where they sourced their apps from I didn't get a reply. I also mailed DB and they said they publish to Google Play only. Now I've checked the apk file with various online tools but I still feel slightly uneasy about it.
I really hope that one day institutions like public transport operators and public service broadcasters publish they apps in google-free stores. I don't want to depend on the Google Playstore one day because there's no other way to purchase an electronic ticket or to use tv on demand services.
I have been running non-stock ROMs for a while now (specifically AOSP Extended, on my Samsung S7 Edge) and ny main issues have been related to reliability/stability, primarily in what I assume is the device drivers' area. Camera freezes phone or gives shitty pictures, microphone not working, etc, etc. This is nearly enough to cause me to go back to stock.
However, I do see the number of ROMs built for my phone has increased a lot, so maybe I should try something else?
If your Android phone supports USB-C, there's another alternative: you can embed your TOTP tokens on a Yubikey and access it via USB-C and the Yubico Authenticator on F-Droid: https://f-droid.org/en/packages/com.yubico.yubioath/
You can also use GPG keys embedded on the Yubikey for encrypted emails via OpenKeychain and K-9.
Very interesting. I've been looking for something like Syncthing for a while now, without luck. I ran into TLS/https issues (can't remember what exactly) while configuring OwnCloud/NextCkound, and realized it had some security flaws I wasn't ready to live with. I decided to stick with Google Drive. I'll give a try to Syncthing this summer. Thanks!
I use Nextcloud since a few years and I am very happy with it (especially with the desktop integrations, e.g. KDE/Dolphin). I even use the Nextcloud WebDav server as a backend to store and sync data for my own Progressive Web App :D
The only security flaw I see is that it is written in PHP, which makes it harder for the devs to write secure code, but not impossible.
Syncthing is great once you get it set up correctly. On my first attempt it accidentally wept my $HOME[1], but on my second attempt it was really easy. Now I have it on all my devices and I don't want to live without it.
[1]: Still not sure if some sequence of commands looked like I intended to delete stuff, or if it was a bug that has since been fixed.
I had problems with SyncThing's reliability, and although it is proprietary am using Resilio Sync (was BitTorent Sync). Hope SyncThing is much better now and I can switch back next time I set it all up!
Still nice to control my syncing and files with Resilio.
The voice directions on OsmAnd is pretty horrid. It often doesn't say anything where there is an important turn and hardly ever says the street name to turn on to. I suspect it gets really confused by the little turning lanes on the edge of intersections which usually have no data in OSM as they aren't a real road.
If you have your phone in a dock with the screen on it's usable. Also the search is pretty bad and forget looking up most stores by name.
I factory reset my (old) Android phone a while ago and now use it without a connection to Google Play. The only app I installed is Firefox, from an APK file. Works for me, although I rarely use a phone anyway. It's also nice not getting the constant upgrades of apps that came with the phone but which I don't use.
Been thinking of getting the Essential Phone as my next phone as opposed to the Pixel 2 but not sure if I want to root and install Lineage, which begs two questions: how secure is Lineage does it maintain close ties to Android or does it drift a little? and... Are there LineageOS phones out there yet?
Isn't one of the main purposes of the LineageOS project to preserve as close-to-stock of an experience as possible?
Personally in terms of security, I would worry more about the Essential-specific builds, not general LineageOS releases. For example, a quick search shows LOS having the KRACK vulnerability seemingly patched the same month after public disclosure.
As for my distinction between Essential builds vs. general LOS builds, bear in mind LOS has not reached Official status for the Essential phone and is very unlikely to within the foreseeable future, primarily due to the difficulty in decoupling Google services from the OS. BUT! If the Essential LineageOS Discord channel is any indication, maintenance and updates are super active. And, the (volunteer-run) support is VERY helpful. Keep in mind, they are supporting LineageOS on Essential, not necessarily cases of rooted devices.
Furthermore, rooting isn't a 1-click process at this time, either. You'll have to bust out the computer terminal, run some adb/fastboot commands, and do a couple additional things that get your hands dirty.
If you use T-Mobile and have the money for a Pixel 2, I would just go with that. Essential has widely varied reception for T-Mobile users. Mine for example simply doesn't work much of the time that it says I have full signal, and it flat out drops incoming calls and text messages with absolutely no indication whatsoever that anybody even tried to contact me.
I kind of regret my choice in phone to replace my aging, problematic N5.
Thanks for the great blog post! I did exactly the same a couple of month ago. Instead of using my own server for contacs and calendars, I used posteo.de for syncronisation.
By the way, the DB-Navigator works fine without google. I installed it with the amazon market app.
Maybe I can help, I have written this in google context, but it is general privacy enabled configuration.
This is what I am using:
https://lineage.microg.org/
(get rid of google play (and save 1/3 of battery)) apps have a dependancies to google framework and just not having it breaks lots of stuff (this is google true vendor lock-in). Microg is opensource reimplementation of it, but it needs patches into android to fake its file signatures. And lineage microg takes care about it)
First thing, get rid of your gmail/android account, register new account with 3rd party email provider. If you are buying phone, check xda-developers which has most support from ROM builders as you don't want, for instance, Samsung ROM. Only than go for hw specifications. Root phone (don't be afraid, it is nothing special, companies are scaremongering here), flash recovery TWRP (imagine it as "bootloader" for android), flash lineage microg.
From here, you start playing with OS.
- Replace dns server (root required) 8.8.8.8 with other (I use my own but there are plenty privacy oriented like ccc.de)
- Install yalp store (replaces play store, buy things using browser, if developer drm doesnt support verifying that you have bought its app, break it using lucky patcher or demand money back)
- Install xposed framework, install netguard, install xprivacylua (one of rare developers I trust for this, due to his privacy work), pay him donations to get pro versions (I have my own versions of those two built and a tad modified)
- use netguard logging to block all the fishy urls that system is calling (gps service, block complete network access,...)
- take special care about firefox, block all privacy details using xprivacylua, install webapi manager add-in, learn to use it.
- You have set up base os now start using it and block everything that is trying to be contacted using microg. Lineage is by no means clean but you can silence it. Dont trust system apps, broadcom drivers are, for instance, contacting their servers. Dont start installing apps until you have done it, later you will get huge noise from apps. Take a day or two and just use phone normal features blocking everything that seems faul (google ntp servers,...)
- For those who havent noticed it yet (or reversed a few of apps), most of android applications are demanding crazy lot of permissions. The reason is that in they have ~1/3 of developer code any 2/3 of spying code, from ad providers to trackinb and analytics and simply code that "just" needs to access your contacts =/. So... for every application you install, start it with everything blocked (netguard + xprivacylua) and work your way trough allowances. Don't give any app allow for internet if it doesn't need it, fake all the details to app that doesnt need them (South Pole is a nice place to be for gps coordinates)...
To really unhook yourself from google, you will need a server, I came to the point where all google domains are blocked (I mean ALL, not just google.*), all my comunication from all my computers/devices is passing server (i have two ways of doing it, either vpn or ssh tunnel) where communication is cleaned, http (+https mitm) over squid with huge blocklist, caching cdns forever,... and having squid in separate routing table (ok, its freebsd fib but close enough) with openvpn client, so also my ip is gone. I am completely self hosted (own "cloud" for webdav,webcal, files; mailserver; searx;...) and...
.. I am not missing anything that google has to offer, I am using android apps, but without google.
I would really recomend doing it, if you aren't familiar with networks, OS,... it will take a year, two, five, but you will learn a lot.
I have probably forgot about lots of details but please ask it, if you are interested.
Just for a taste, my google data export is 28kb (bought apps,...) after few years. What about yours? :)
Well, as long you are using only xprivacylua, it shouldn't be a problem. I have reviewed the code for it and netguard (doesnt need root) and it is clean (for netguard there are some callhome functionalities, but it doesn't submit anything relevant back or doing something fishy - I am talking only for paid version). Also Bokhorst is donationwaring it, so there is a money trail to physical person.
Nice summary, thanks. Do you think, that there is a chance to get Google Hangouts running with microG? It's required by my current employer unfortunately.
Try it. Once you have TWRP on your phone, you can backup your whole phone (including ROM) to SD card and later revert it back if it doesn't work.
I can't tell without installing and I have strict policy of no google / facebook (actually anything related with social media) apps on my phone. Or try to find OSS alternative
It is dead. Someone forked it. I'm sorry but I can't trust some random team with almost zero funding to write my everyday os. Ubuntu phone died when Canonical dropped it. Same for Mozilla. It's a shame and kind of bizarre that Google can go on without any competition, but without the hardware manufacturers cooperating this isn't working out.
We need open hardware for this to work.
Sorry for delay, am unsure what you're asking. Webview is a G gramework baked into all android & ios systems to provide web functions through apps(sans browser).
Yes but I'm interested in the content of the article, not how the author looks like. Especially not if his head is almost 33% of the window height.
And also in general. I often see articles where there really are completely random images in them to fluff things up... Like "Oh you're reading some technical article? Here have some people sitting on a bench eating ice cream!" Why?
This is something I did a week ago, After finding a version of LineageOS with MicroG, I quickly realized that some apps just don't work without the real Google Services like Snapchat and Uber. I just gave up and keep only the Play store and Services Framework.
yes, its a devils-advocate position. You might (for instance) have high trust because you know them from hacker traeff you've been on, f2f. I can't have this a-priori knowledge.
From here, this looks no better than "trust google" and in some dimensions looks significantly worse. Of course for the primary goal of "distrust google" it works very well.
(well done btw, its a good, complete list, and has apps I think I too would put on my need-list)