I would advice against using Chromium on Android. For one, it's still Google and to my knowledge still phones home to the mothership. For two, Chromium/Chrome is becoming the next IE and I sincerely believe that encouraging further ieficiation of the web towards Chrome is not desirable for anyone involved.
On the other side, I would amend AnySoft keyboard into that list, which is much more useful than Hacker's Keyboard (due to being less dense) and has a pretty okayish autocorrect (still better than the rest).
NewPipe is also a solid choice and I recommend it to everyone even if you don't want to FLOSS your phone since it's miles better than the youtube app (downloads, background play, doesn't require signup but still offers subscriptions and playlists, popup mode).
Chrome has been having a really negative effect on web standards recently. I don't want to derail anything going down that rabbit hole, but just to reitterate the point above: I wish more people would break away from Chrome.
They have a bad habit of trying to force standards through the W3C without thinking through what they're doing, they're really bad at responding to bug reports or engaging with devs, they regularly introduce breaking changes to existing web content without giving user overrides. The recent audio changes are a good example of just how broken their dev process is[0].
Firefox is still Firefox, they're fine. The Edge team honestly is pretty great too. Working with Chrome devs as a web developer kind of stinks, and I think it's partially because they're so dominant and they just don't have to care.
Especially on mobile, if you're even remotely a power user Firefox is just flat-out a better Android browser since it supports extensions.
I totally agree, the extensions in Firefox Mobile are simply a lifesaver and being able to seamlessly send links to the mothership computer at home is simply unbeatable.
As a longtime Firefox user, on mobile I actually use Opera. I really wish I could use Firefox on Android, but for some reason Opera is the last mobile browser to support proper text reflow, which is a feature I cannot fathom a reason for actually removing.
On the plus side, it might not have extensions, but Opera is a pretty damn solid mobile browser, especially now that they've added night(-ish) mode support.
> I would advice against using Chromium on Android.
CopperheadOS had a different take on this, and recommended Chromium for FLOSS-only Android[1]:
"Avoid Gecko-based browsers like Firefox. They’re significantly less secure and are among the few apps not able to benefit from the full set of CopperheadOS hardening features due to shipping their own linker and custom JIT compiler within the app process. The WebView is inherently Chromium-based so using Gecko also means exposing the attack surface of two browser engines rather than one. Firefox Focus currently uses the system WebView rather than Gecko but Mozilla plans to change that."
I got developer mode enabled on my phone and it allows me to select an alternative for WebView, but there's no options available. Its terribly annoying because a browser is about customising the WWW to your tailor. Not possible with WebView. Adblocker for example doesn't work. Though microG doesn't implement Google Ads.
I run Pi-Hole in Docker and connect to it via WireGuard. I then use a forwarding DNS server which catches all DNS requests and uses DNS over TLS. Hardware used: EdgeRouter-Lite. Results: slightly higher latency, obviously, but no ads and secure DNS traffic and secure traffic regardless of where my client resides or over which network. I also use LineageOS with microG which doesn't implement Google ads in the first place, and Firefox + uBlock Origin just in case. uMatrix is good, but too much of a hassle to configure IMO.
Because it (a) works great for users, (b) is the most secure (check reported vulnerabilities) (c) by far the best at fixing reported bugs in my experience, and (d) is by far the best for development for me.
Safari, Firefox and Edge are failing to win on the shit that matters, and as a web developer all three competitors make my life bad.
And we learned nothing from the IE era? The problem with IE wasn't only that it was bad, that was the cherry on the shitpile, the real problem was that it had 90% marketshare and websites simply would not work with anything else.
In re: to your points
A) doesn't work great for me, there isn't even an integrated side view or screenshot addon, not even mentioning the lack of integrated tracking blocker
B) lower number of reported vulnerabilities != most secure, this should be fairly obvious if you ever worked with netsec and websec people
C) I heavily disagree, chrome developers simply ignore bug reports if the resolution doesn't fit into their agenda. If your site doesn't work on chrome, you either suck it up and make it work or be prepared for chrome devs to ignore you unless you're big enough for them to care.
D) For you maybe, rest of the world? maybe. The Firefox Dev console has been utterly sufficient for my use cases in webdev.
You should intensely care about Edge, Firefox and maybe even Safari failing to win because if they do loose then you're going to be part of the group that will be responsible for the next IEficiation of the internet.
I use Chrome on Android and all Google products extensively for the wide and free variety of programs and services they offer. As far as I know, no one knows anything about me that I didn't freely put online. I have not been oppressed, jailed or denied anything in life since.
IEfication isn't really about oppression tbh, it's about Websites telling me "This application only works in Google Chrome" and completely locking me out. And they work in Firefox once you spoof the useragent. If they don't it's 99/100 times because Chrome is not being spec compliant or doing something dumb. Rarely because Firefox simply doesn't support it.
Having only one browser in the market/ecosystem is dangerous, we learned that with IE.
That has nothing to do with Chrome. It's bad (horrible!) web developers and their product. You can't blame Google or Chrome for that.
Good web developers create sites built toward standards, not browsers.
I occasionally read of people who claim such sites exist, and I'm sure they do, but I have as yet to find one while living on the web all day. (I'm a web developer.)
I blame Google and Chrome. Because Google continues to push for marketshare. If their devs were good devs they would strive for a balanced marketshare, not domination.
This is obviously not what Google is doing, therefore I blame them just as much as the web devs.
If you want an example, though recently fixed after I sent of a very angry complaint, the ELSTER tax system in Germany didn't work if you had a certificate login on Firefox+Linux but it worked on Chrome+Linux.
Another example is some of google's own websites, which break U2F authentication at times, though it might have been fixed in the meantime.
I'd love to do this to my phone (Moto G4). However I absolutely need my banking app, and I know it just wont work without Google Play running. Likewise as the article says, Google Maps is a must even with location tracking off. I do switch off as much personal data leakage as I can, but I'm not naive enough to think that Google isn't still collecting data on me.
Unfortunately, I just don't think a free open source phone will full modern functionality is ever going to exist.
FOSS android user here (I'm on the HN Materialistic app now actually)!
I had the same issue with my bank, but I resolved it using the F-Droid app "Yalp Store", which wraps the playstore. Now I have my banking app on my phone!
It's not FOSS, but even on my Linux PC I have binary blobs for drivers and stuff. It's good enough for me, it might work for your app too
The problem is not obtaining the APK, that's the easy part. The hard part with a lot of online banking apps (as well as apps like Netflix) is that they use (and require) Google SafetyNet to ensure that your ROM is "safe" (i.e. hasn't been tampered with). The guys over at the MicroG project are trying to find ways around that but it's really a cat-and-mouse game. Last time I tried (which, admittedly, was quite a while ago), neither my online banking app nor Netflix worked for me on a custom ROM.
I have a Fairphone 2 running their non-Google, largely FLOSS, version of Android with F-Droid app store. Sometimes, I'm slightly annoyed that I can't install app X but from the top of my head I can't even tell you what values X took. So it can't be that bad. The only regular annoyance is having to use Open Street Map. Very nice maps, but rendering and localization (GPS-only) are too slow.
Which OSM app are you using? I've started using "Maps" (the OSS variant of https://maps.me/, available on F-Droid) and it has pretty much replaced Google Maps for me. Performance is good enough for me, and offline maps are a killer feature.
Unfortunately, MicroG hasn't been maintained in the past months or so and the only developer barely communicates anymore. It's getting to a state in which it will stop working very soon.
One tangential issue I have, is that all NFC-payment apps seem to use Google Pay or some sort of API detecting custom roms or root, disabling NFC-payment features.
When you think about how many people use Johnny No Good Hacker’s lastest ROM because it’s largely the OEM supported Android x with one or two Android ++x supported features, it really sounds like a good idea.
It would be nice if there were a safe way to bypass that “immobilizer,” though for people that trust their ROM origin and the software on their phone.
I wish we could just emulate non-floss Android Qubes style. Then the banking app could just be spawned when needed. Maybe not full emulation but containers might be good enough.
It is worth noting that most ROMs are not FLOSS, and include binary blobs for GPU drivers, RIL services, and wireless drivers. The build process of lineageos involves copying select blobs from the factory firmware of a sample phone. The only true "FLOSS" ROM project is FSF's replicant, which is only available from phones that are old enough to have been reverse engineered.
More problematically, a huge amount of ROMs is people blindly copy/pasting scripts, binaries and other components from other ROMs without fully understanding the consequences, security implications and/or verifying the source for malicious code. The code quality for huge majority of stuff you find on XDA is so poor I wouldn't touch it with a 15m pole.
Indeed. I believe the latest full-FLOSS device is Samsung Galaxy S3 with free WiFi driver, but it's not too bad since the latest laptop with no blobs using LibreBoot is 2008-era Thinkpad X200 isn't it? Similat generation of hardware, yet mobile telephony has come so far compared to laptops...
It's not Android but HN readers might be interested in a FLOSS alternative; Ubuntu Touch. Despite being dropped by Canonical it's still going strong and is well worth a look.
Is it any good? I bought an Aquaris M10 with Ubuntu touch and, to be honest, I felt that the advertising was dishonest and left a bad taste in the mouth, especially as Ubuntu dropped it shortly after.
And it's not like I wanted the moon on a stick. I don't use 'apps'. Just capable web browser, reliable on-screen keyboard and a stable implementation of the promised 'convergence', would have done me fine.
I would say that it is absolutely worth brushing it off and reinstalling.
Looking at your laundry list I think a lot of your points are still valid. Importantly I don't think that it will ever be 'real' desktop Ubuntu. Like you I think that I was sold on that in the initial marketing and was disappointed by the tablet's reality.
That said if you approach it as a community project which is making real progress I think you'll enjoy it.
I suspected it would be at community-project stage, and I didn't really believe the Canonical hype. It's just it was plain unusable for anything I wanted to do (I hope that comes across as objective rather than unkind).
Not using a smart phone atm, but this is my backup device for occasional quick photos/2FA etc. and it is fine for the job and doesn't leak data.
It does try to get updates and info from Canonical, but I block that in my pihole setup. It doesn't do anything else, from what I can see, over the network.
Lineage and Omni still isn't "going FLOSS-only." Drivers necessary for Android to run on one's device come in the form of binary blobs. LineageOS is ported by extracting those from the OEM firmware. A FLOSS-only ROM will be Replicant, which lags in releases and misses various things (3D graphics, GPS, WiFi, Bluetooth) but a valiant effort nevertheless.
Exactly. Due to the way that phone manufacturers support Android (which is shit), there are a lot of proprietary drivers/firmwares required that only work on an ancient kernel.
For a true FLOSS-friendly device, the Librem5 seems to be about as close as you can get (though some chips will still run proprietary firmware..)
I wish that replacing the ROM was so easy. If you have a flagship device, it’s achievable; but if you don’t use flagship devices, it’s frustratingly difficult and requires at the very least substantial technical chops and investigative skill. (And I have no interest in spending more money on flagship devices; I spend thousands of dollars on a laptop because I use it very heavily; but my requirements for a phone are very much more basic, so I am disinclined to spend much on one.)
I would love to replace the ROM on my Samsung Galaxy J1 2016 or my Kogan Agora 6 to go with LineageOS with microG or similar, or even something more extreme; I’d even settle for just rooting the thing, for starters, so that I could use my own DNS server (which you can’t do on a cell connection without using a VPN, which is annoying as it requires a passcode set on the device, but I don’t want to do that). But no rooting tools succeed, and no alternative ROMs provide compatible builds.
Using LineageOS, as one example, seems to require me to craft a config file describing the device’s capabilities and specifications (which I must find, somehow), then build LineageOS (thus I need to construct a suitable build environment), then get it onto the device in some way (admittedly the easiest part of the process).
I want all of this, but I just don’t have the energy to pursue this further to try to figure it out.
People keep on speaking of replacing the OS on your phone as straightforward, but it’s not. Could someone please make this process easier for me?
Well, then you'll love Android's Project Treble, and its GSIs.
GSI stands for Generic System Image, which means that they separated drivers from Android framework (it is a different partition, and they can communicate only through well-defined, stable IPC)
This works only on recent enough devices (devices launched with Oreo or better), but should apply to all of them, whatever their price range, and their popularity.
To clarify, there is a certification requirement when certifying for Google apps, that says that the device MUST boot and be functional on AOSP.
Same with Huawei Honor 7c - not even listed on XDA forum.
Somebody should really write an article on the sad state of Android unlocking / rooting. There are countless reasons to unlock and root your phone: DNS, bloat, doing a full backup (TWRP doesn't work without root)... Unfortunately, it seems Android is rapidly catching up with iOS, where jailbreaking is mostly just a thing of the past.
Just bought a Xiaomi Redmi Note 5 because of the flourishing custom ROM developer scene just to flash a Google-less AOSP Android P ROM in the next month.
Yes, there might be backdoors in the hardware itself, but at least I minimise any threat factor to myself in this regard, even if only through software.
Beside, minimalist functionalism is raison d'etre of the Unix Way, isn't it?
It would be neat if one could have both worlds: have a phone which normally runs FLOSS, but if one needs Google things, it can spin up all the services required, and launch the app needed. And when one is finished with that app, press Quit to terminate all the Google services.
It seems phones are now powerful enough that even virtual machines should be possible...
What you're describing is a web browser. Spin up/connect to a service, in a sandbox, and then get rid of the app when you're done.
Of course, many of Google's own apps are not particularly web or mobile friendly. It annoys me to no end that for all that Chrome/Android is pushing the progressive web, basically zero of Google's own apps utilize it. The progressive web does have some pretty serious shortcomings and problems, but for the most part, pretty much every major Google app (Google Music, Youtube, Maps, GMail) could be thrown out of the app store and replaced with a progressive web app with offline access, and everything would work fine.
It's not even like the current offline support for their native stuff is any better than a progressive web app's would be; Google Music will often bug out and remove access to downloaded music if it can't find an Internet connection. Youtube Red loses and corrupts downloaded videos almost like it's on a schedule. A web cache would be just as reliable as whatever they're using now.
As far as I'm concerned, there's zero technical reason why we couldn't have this right now.
I like to think about it this way: web is for documents, apps are for tools. If it can be linked to universally, it is a document. If it cannot, it is a tool. Would I install facebook.exe on my PC in order to browse it? No, it would feel like installing a virus. Then why would I do this on mobile?
I've had this conversation with people before on HN, but to take this philosophy even a step farther, I feel like I have an almost regressive view of most apps compared to a lot of people on here.
I honestly don't see the difference between an application like Google Maps and a document. Google Maps should be presentable in pure text without CSS, and the overlay is basically just styling on top of that. You have a list of points with information associated with them including Latitude and Longitude. XML is perfectly fine for that. Or you have a list of directions or reviews, which obviously should be presentable in pure text.
Same with Google Music. Google Music isn't an application. It's a search box that displays a list of links to audio files. It's fine that Google puts pretty interfaces on top of this stuff, and CSS is good for that, but I just still don't see what they're doing that requires native access.
Minus the absolutely horrible performance that would come out of using Electron and JS for everything, I really don't feel like it would be difficult to remake the majority of what people call native apps in HTML/CSS. A lot of the native apps on my computer are basically just fancy ways to present tree-like information.
Stuff like Gimp, or Blender, or a 3D game - okay, we can talk about applications. But Maps, or Youtube? I dunno, maybe I'm just old and cranky. Certainly Facebook and Reddit don't fit into those categories.
I find such things as email, maps and streaming services to be proper use cases for native applications, because they either require non-standard connectivity / caching implementations, or hardware features which are not equally available on all browser-connected devices. JavaScript and CSS should be used to enhance hypertext document browsing experience, not to replace OS-level applications where they are needed.
I would love to go fully FLOSS on my phone. I would even love a dumbphone better. I just need/love to use my smartphone for a few things:
- Spotify
- Google Maps
- Sygic car navigation
- WhatsApp/Telegram
There are just no viable fully FLOSS alternatives for all these services, AFAIK. Last time I had Lineage+MicroG these services kinda worked, but I didn't have the time to invest such that it would work as smooth as the closed source counterpart. Maybe I'll try again soon.
The task of FLOSS authors creating clients for walled gardens like Spotify always seems like a bit of own goal to me, tbh.
I think we all love our phones - it's this amazing silent revolution that's happened where ubiquitous computing has already happened (at least in the first world)
I understand you likely want specific features from the services you list but for others, if they were generics, this is the best either FLOSS or if not available, De-Googled list I could compile:
///Music
Mp3s
Spotify (closed source with a downloader on FDroid)
I'm not aware of any open source clients for the streaming services. Some friends use Youtube-dl on a pc and send then files across.
///Maps
OpenStreetMaps (edit: meant OSMAnd)
Maps
///Messaging
Signal
Silence (Secure SMS text messaging)
Telegram (On FDroid - again haven't checked with MicroG)
Whatsapp (Closed Source with a downloader on FDroid, although I haven't tested it with MicroG)
Spotify should work in a browser, and they follow your every move [1]. HERE Maps is a proprietary alternative to Google Maps (you won't need Google then though). OSMAnd might work great for you.
I'm not very familiar with TunnelBear but they appear to have instructions on how to connect from GNU/Linux with OpenVPN[0], so you might not even need their proprietary Android app to use their service.
Instead of K-9 I recommend pEp which has a material UI.
Also, nearly everything mentioned has a web version. Which means the remote runs the proprietary software, and you can use an open source client to interact with it (Google in a nutshell).
If you have a NAS, consider running your own Nextcloud on it (do make offsite backups).
For camera app, I recommend Open Camera.
Many good suggestions in the thread and throughout this thread. I can recommend the Fairphone 2 as FOSS device. It isn't perfect (still has some binary blobs), but you can run an open source OS on it and repair it yourself cause it is modular.
> At times I feel that some services are really convenient even though they’re evil. For example YouTube. They probably track every mouse movement, but they give me pretty nice content.
On Android, Youtube + Firefox + Video Background Play Fix is a combination that I find more comfortable than NewPipe itself. No app needed!
> I have installed MicroG on OmniROM to get OsmAnd to work.
Why would they do that? I have run OsmAnd on a completely Google-less Android phone, and it worked fine. (Fairphone 1 with Fairphone OS, which is basically AOSP with a few tweaks.)
You mentioned evil and put emphasis on _TunnelBear_ in your apps list (which I was shocked to see Chromium listed in). Could it be logless VPN services are actually more dangerous than those which log activity?
I believe TunnelBear is highlighted because it is proprietary, not because it is evil (I'm not even sure if the author considers proprietary software in general to be evil; the author uses the word in reference to proprietary Google services).
I wonder if Stahlman would consider using a FLOSS-only smartphone. He could use wifi only so he doesn't have to give away his location to a cell provider.
Even a FLOSS-only smartphone cannot protect you from all the surveillance concerns, like remote location tracking using Silent SMS:
> In Germany in 2010 almost half a million "silent SMS" messages were sent by the federal police, customs and the secret service "Verfassungsschutz" (offices for protection of the constitution). These silent messages, also known as "silent TMS", "stealth SMS", "stealth ping" or "Short Message Type 0", are used to locate a person and thus to create a complete movement profile. They do not show up on a display, nor trigger any acoustical signal when received. Their primary purpose was to deliver special services of the network operator to any cell phone. The mobile provider, often at the behest of the police, will capture data such as subscriber identification IMSI.
"I don't have a cell phone. I won't carry a cell phone," says
Stallman, founder of the free software movement and creator of the
GNU operating system. "It's Stalin's dream. Cell phones are tools of
Big Brother. I'm not going to carry a tracking device that records
where I go all the time, and I'm not going to carry a surveillance
device that can be turned on to eavesdrop."
Quote 2:
Theoretically, Stallman says, phones that use only free software can
protect themselves from the danger of electronic eavesdropping. "If
it's all free software, you can probably protect yourself from that,
because that's caused by the software in the phone," he says.
On the other side, I would amend AnySoft keyboard into that list, which is much more useful than Hacker's Keyboard (due to being less dense) and has a pretty okayish autocorrect (still better than the rest).
NewPipe is also a solid choice and I recommend it to everyone even if you don't want to FLOSS your phone since it's miles better than the youtube app (downloads, background play, doesn't require signup but still offers subscriptions and playlists, popup mode).