Happened to me, I had to disable Play Protect scanning... interestingly, in ghe deacription in Android settings, it claims Play Protect will scan and WARN, not remove, apps. That is clearly a lie.
The constant nagging when you tell Google "no" shows how little respect they have for their users. Messages by Google, which is primarily an SMS app, is asking me every 1-2 weeks to enable RCS chats. The link for declining the request is small and easy to miss, while the AGREE button below it takes up 25% of the area of the popup.
Dear Google UX designers, the way you present your little "decline" links is illegal in the EU. I'm sure you've got these design directives from a product manager, but you can still say "no" to breaking the law.
I dislike how there's no complete open source RCS implementation, and after trying it out a few years ago, I now actively avoid it (I instead use QKSMS on Android)...
But I don't see the problem with the decline link and EU law?
AFAIK, most EU regulations are about tracking and consent in using your information...
In this case, you're already using a Google product (the Messages app), and Google is just (aggressively) nudging you to use extra features that they have shipped in their app. It doesn't follow that Google is definitely going to use more information to track you than it would've done before (though it could be possible, of course)
...of course, I fully agree that this doesn't embody their "respect the user" ethos, but frankly... If you worked on new features for your users, I think it's fair to nudge them to try to make sure that what you worked on will end up benefitting them (of course, a company behaves differently than an individual, and it's not guaranteed that the work done might actually have merit... But that's orthogonal to this discussion)
The design of such consent popups has been deemed illegal in the EU, Google was also previously fined [1] for a similar consent popup. The "REJECT" button needs to be just as accessible and needs to have about the same visual weight as the "ACCEPT" button, dark patterns like the ones you see in the RCS consent popup above are illegal.
> Dear Google UX designers, the way you present your little "decline" links is illegal in the EU. I'm sure you've got these design directives from a product manager, but you can still say "no" to breaking the law.
If there is one thing like about EU, is that it's the only one in the world standing for the user's rights keeping these companies with their antitrust pratices in check.
If it weren't for them @pple wouldn't have switched to USB-C
The only acceptable phone for me has been a Pixel phone, with GrapheneOS installed. I do wish the permission to install/uninstall were separated for something like this (I may be naive). I have everything installed to a work profile in Android (using the Shelter app). I can globally pause all work-profile apps. It's not the best, because when unpaused I'm not getting some notifications. I need to figure that out.
Graphene is not acceptable either, since it requires putting trust in someone who does not exibit enough stability or rationality to justify that kind of trust. I mean it's only the keys to your whole life, no big.
"I mean it's only the keys to your whole life, no big."
It's a telephone, with a computer on it in your pocket with a shit load of sensors. The computer part involves components from many parts of the world, with many opaque subsystems. The OS is sort of Linux with knobs on and a lot of opaque parts - the first layer "belongs" to a prolific ad slinger hell bent on knowing everything about you. Then if it isn't a Google jobbie, it will have another layer of software, lots more shiny and a lot more data gathering (eg Xiomi/Samsung/whatevs). Then your "TSP" gets to put their spin on it. All three layers can sell out to eg MS for yet more data gathering and ads and profiling and so on.
Apple does the same but manages to be layers 1 and 2 and be a bit cooler about the whole thing.
You worry about Graphene?
I don't advocate for full Luddite (I run an IT company) but please get some perspective. If you are concerned about Graphene, I suggest a burner feature phone or smoke signals.
EDIT: I have F-Droid and KDE Connect wired up to both of my Arch (actually) boxes on my Samsung Invasive Intruder ... sorry Galaxy S23. I'll try switching out the Play version of Connect for the F-Droid one and see what happens.
The fact that other things like the carrier are bad, does not somehow make any other thing like graphene good. (not that it's bad exactly just that there is a problem, which is not no problem, even if it's a problem you personally have just decided to be ok with)
Someone else said that the head guy isn't the head guy any more so the biggest problem may not be a problem any more. The idea, stated ideal, design, & construction (as far as one can tell honestly) of the os are all fine.
But the point was, you don't need any more reason than his behavior to avoid granting him such a priviledged place in your phone, which holds such a priviledged place in your life. Just on basic principle. You don't need to justify that to anyone and he or the project does need to justify why one should trust them. The usual justification is merely the utterly flimsy weak one of benefit of the doubt. It's more or less impractical to actually vet strangers, and so you just grant benefit of the doubt until there is some reason to question. But that goes out the window the instant there IS any reason to question.
People have different tolerance for risk, and so, you might be fine with saying "that guy is acting a little weird in this way, but whatever, probably he can still be counted on in this other way.", but no one else is obligated to. And this example of "weird" was not just neutral irrelevant non-conformity.
There have been countless examples of people in positions of responsibility and trust going off the rails and taking a bunch of users down with them. There is no reason not to use your nose for what it's meant for in this way.
But like I said, maybe the problem is resolved now by the fact that we don't actually have to trust that guy any more. In which case, ok.
Why? There are other equally open source os's I can just run instead, that don't require me to excuse or verify anything?
Even if there were something special about graphene that made it more desirable, the real way to deal with an open source project with something unacceptable about it's production or management, is to fork it. But I already have something else to do all day, and am happy to run lineage or calyx or or others. If I did need a fork, I'd need someone else to do it, and I'd have to trust them.
Fork it or help someone else who is forking it or work towards changing the original (which is what seems to have happened actually, so this is all a bit academic now), or just use anything else, are all more reasonable responses than "the people producing this thing with access to all my communications have shown themselves to be off the rails, so what I'll do is keep using it, but personally read all the code in an entire android os."
The point is, you don't have to trust Micay about a darn thing. The code is open. That's the whole point. Dismissing open source software because you don't trust the developer is absurd.
If Micay says, "The code does X," anyone who can read it can review it and say, "No it doesn't. It does Y." It's right there. You don't have to trust him. He's shown it to you.
It doesn't matter what the code actually is, or that you can see it, you still have to trust people because there is simply too much of it, even if you happen to be a coder, which 99% of people should not be required to be. This is a FUCKING MORONIC thing to have to spell out, but I guess here we are.
I go into F-Droid and search for "connect". The product page says I updated it 15 days ago and offers an Uninstall option. It shows 1.29.0 as the latest version. So far it looks like a second package manager working properly.
I hit Uninstall and within a few seconds the button switches to Install.
I hit install and the app is installed from F-Droid. I open it and pair my phone to my laptop.
One data point. Perhaps a knob has been twiddled in the Chocolate Factory in response to this article. There are a lot of Googlers here.
(EDIT: formatting)
EDIT2:
I've gone into the Play app and got Play Protect to scan apps: "No harmful apps found". KDE Connect is still working
Oh, that actually changes things, assuming whoever steers things these days isn't more or less the same.
No denying the guy isn't a no-joke developer, so, his code and work would be valuable, but only if the bigger picture didn't depend on his judgement.
It's not that I have a specic scenario of a particular bad thing he might do, like make a backdoor for the government or secretly collect & sell data, or even something like somehow ban you from using as an individual he didn't like because you criticized him or something. It's that once someone is shown to be that irrational, then all bets are off. You don't have to have a specific proposal of what they might do, because they might do anything.
Anyone might do anything, and the only way you can function is you just have to trust other people, and the only thing you have to go on is very little in most cases. So you have to give strangers the benefit of the doubt until there is some reason to doubt. And this guy acting this way is more than enough to avoid. It's not like there haven't been countless examples of people who seemed good at first going off the rails and taking a bunch of users down with them. It is entirely valid to see this guy and go "Nope. Avoid.", and that would not be a case of just ignorant discrimination against non-conformity, it would be using your nose for what it's for.
But if we don't actually have to trust him as much as before, that changes things.
I agree. He attacked me once out of the blue here because I said something good about CalyxOS, and said I was part of a CalyxOS-inspired conspiracy against him. For the record I've neither used CalyxOS nor GrapheneOS because I've never had a pixel phone.
I was following CalyxOS' progress at the time because they were working on enabling support for some OnePlus models but right around that moment OnePlus came out with an update that made it impossible to do change the bootloader signing keys and they abandoned the project (which I understand). I'm also a huge fan of MicroG and really prefer this open-source approach over the sandboxed google play approach. And I'm critical about some of Graphene's stances, around SafetyNet in particular ("We don't lie about security features" - I don't agree attestation is a security feature but in my opinion it's more about control/DRM). So yeah if I had a choice I probably would have gone for CalyxOS. But I'd never even heard of the guy before this happened. I had nothing to do with any hate campaign (which I doubt even exists).
But no, I don't want someone like that deciding what code goes on my phone.
I agree this is google doing evil and there should be government intervention for this kind of shit.
There's a timer that re-enables the Play Protect nag after a certain period of time. I can't remember how many days it is.
You can permanently disable it by running the following over ADB or a local shell. Works for me.
# This should disable Play Protect. Maybe.
# https://android.stackexchange.com/questions/187097/is-there-a-way-to-control-use-google-play-protect-together-with-microg-open-sou
settings put global package_verifier_enable 0
settings put global package_verifier_user_consent -1
settings put secure package_verifier_user_consent -1
settings put global upload_apk_enable 0
settings put global PACKAGE_VERIFIER_SETTING_VISIBLE 1
settings put global PACKAGE_VERIFIER_INCLUDE_ADB 0
I'm running lineageOS, and I had to root the phone to make one banking app work (and Netflix and some games.)
It actually passes SafetyNet out of the box, but there's a CTS profile check that some apps do in addition to SafetyNet, and I had to root the phone to make it provide a profile that those apps are happy with. And then I had to install a SafetyNet bypass, because fixing the CTS profile broke SafetyNet.
It un-roots itself every time I install an update, which is kind of a pain in the ass, but someone wrote a script to re-root lineageOS (from a desktop computer), so it's not too bad these days.
Would you mind saying what phone you have, and which script? I'm using a (by now rather old) OnePlus 5 and potentially in the market for an upgrade -- and easy rootability is more my key feature than bling or a 50 megapixel camera....
Overall I'm really happy with my g100. The bootloader was easy to unlock, it has a headphones jack, a microSD slot, the battery lasts 2-3 days, and the performance, screen, and cameras are all good enough that I don't think about it.
The only things that I don't like are that the physical size is a larger than I would prefer, and it's not waterproof. Additionally, the single down-firing speaker is kind of lame when compared to my previous phones stereo front-firing speakers above and below the screen. I'd much rather have a bit of bezel if it meant I could have stereo front-firing speakers (and no camera hole punches!)
Oh, and I had to use a different phone to activate the SIM card to make it work on Verizon, because even though the phone is actually compatible with their network, they don't like it for some reason.
Lineage on a Xiaomi redmi 10 pro, everything working perfectly (also dual SIM and SD card + headphone jack) get about 2 days battery life. Though it's quite old now so I've no idea if it is as good as a OP5 or not lol
The way you have to hide from apps is a bit weird these days using magisk filters, but other than that the entire thing has been set and forget, and I've not had any issues
As @morrbo said, you can get a Redmi Note something, I'd suggest the Redmi Note 13 Pro (not plus, that doesn't have the headphone jack, for some reason).
It is great, and the offical unlock tool works seamlessly.
But you have to wait a week before unlocking, which I guess is there for you to """try""" MIUI. Still not a problem, though.
Yeah, I probably tried all those scripts people guarantee to work. Even with all profiles I tried to load somehow most of those apps knew I was rooted.
Oh, I didn't mention it in the original post, but I'm also using magisk hide, or zygote, or whatever they're calling it now.
Additionally, I've blocklisted certain apps so that they're not even allowed to request root access, because the banking app that forced me to root it in the first place would ask for root permission every time I launched it.
I use GrapheneOS daily and use banking, government, and other sensitive apps without problem. It's a common myth that you can't use those apps on GrapheneOS.
It's not a myth. I run GrapheneOS, and my bank app doesn't work, the Blind app doesn't work, and another common marketplace app (not amazon) has shadow banned me for using it on a device without hardware attestation. I only found out after reaching out to support and having a lengthy conversation with them.
It's idiotic that they require hardware attestation, but let's not fall into the trap of "it worked for me".
Even with these limitations, I'm okay with continuing to run GrapheneOS.
Even the McDonald's app doesn't work if you install it through Aurora store lol. Even though it's the same signed version distributed through Google play and I have Google play on the device, just not signed into a Google account.
Somehow it detects that it was not installed through Google play and refuses to work with an explicit message stating this reason. I really wonder why they care. The app doesn't even take payment, at least not in this country. You still have to pay at the order portal thing.
Fair enough, but on the flipside I wanted to point out that for at least some of us it's possible to use GrapheneOS with no compromises to the experience. Usually you only hear about those telling you categorically that you "can't" use banking, government and other sensitive apps when that's not true. Anyone on the fence should try it out themselves.
You can run all of these apps with GrapheneOS, in that regard it's very different than LineageOS because it has a compatibility layer as a first class feature [0]. You can either create a different user profile and install the play services there or create a work profile (with shelter) and install google services there.
I keep my banking apps in a work profile and shelter completely freezes/disables them when I'm not using them. Otherwise they work fine.
I do want to note that I'm fine with only using apps from F-Droid in my main profile. I mostly use NewPipe, FairEmail, KeePass and Harmonic (HN client) and that's about it. I don't tend to create accounts on websites but if you use social media this setup will probably not be the most compatible.
It's honestly mind blowing though. I've never ran a custom ROM with such a "vanilla" experience, even getting OTA updates within a week of them being out for Android.
That's probably what those apps use, then. Because all those tricks people mentioned never worked. Some explicitly failed saying that my ROM signature wasn't official.
Have you actually tried using your banking application on a recent (post introduction of sandboxed Google Play) GrapheneOS?
Restricting things to only Google ROMs basically also means your banking app won't work on a bunch of non-google Android phones and even most banks don't want to go that far.
When I started using GrapheneOS several years ago, I quickly realized I had jumped a lot further down the FOSS rabbit hole than I realized.
Today, I consider the inability to use government or banking apps on a device that travels in my pocket a feature, not a bug, but it was indeed a steep and sometimes unpleasant learning curve.
They only seem to support pixel, although pixels can be bought for cheap when compared to iphones, they're still expensive for countries which are still developing.
For example Im using a device which is 1/4th the price of cheapest first hand pixel that I can get
LineageOS is supported on a bit more devices, and works with microG if you're willing to sacrifice Google Pay for better battery life and less privacy violations: https://lineage.microg.org/
This worked ok, but wasn't as nice as grapheneos' solution so I ended up upgrading to a pixel once my cheap chinesium phone was sufficiently old and haven't looked back since. If you do the microg route you should be using a throw away gmail account you don't care about losing with the aurora store (if you need access to the google play store) because there is a non zero chance they ban your account.
> a throw away gmail account you don't care about losing with the aurora store
They also have a pool of accounts you can use by clicking “anonymous”. They do get banned frequently, and you have to re-login once in a while (for me it's almost every time I want to download something new again), but it is definitely usable.
It's a lot less usable lately because of the "Oops this account is rate limited" error unfortunately. Sometimes it takes me 10 tries. Updates are fine though, it's just searching for new apps that trigger it.
LineageOS unfortunately dropped support for my Moto G4 relatively quickly after I installed it and it only was supported up to Android 7.1. I have been running an unofficial build of 8.1 ever since, but that is also horribly outdated by now.
Maybe you can try getting DivestOS running. They only have 14.1 (Android 7.1.2) but unlike old LineageOS builds they patch security vulnerabilities and include some hardening.
Oh yes, more e-waste, more consumerism. We don't have enough of those. Sending text messages and viewing images requires a 90's supercomputer. It's fine.
Same here. I've benefited from hand me down devices for a long time, and I wish I could still be using the Samsung S3- so light, I have several spare batteries, it fit in most pockets, and it has a 3.5mm headphone jack. The iPhone SE from 2015 that recently I gave to one of my parents was nice, too.
My laptop is also from more than a decade ago, and I'm happily running LMDE 6 on it.
Everyone doesn't have to live like this, but it's utterly valid, and no one has any right or justification to try to tell anyone else not to.
I can buy anything any time, but I miss swappable batteries, headphone jack, sd card. These were all basic utility features than made a device interoperable and more generally functional. Removing them only benefits the people selling new phones, wireless headphones, and cloud storage.
My old vaio 3 laptops ago is actually still perfectly fast enough at what I do today, it just only has usb2 ports, which eventually became too big of a pain point. But it also had a real docking station that you plop the machine into, not the stupid "docks" we have today that are not docks but just mega-dongle-hubs where you connect a usbc cable. I miss that dock every day since 5 years ago. I could easily still be using it today even though it must be 15 years old or more by now. And if I were, no one else would have any justification for trying to say that I shouldn't, and no software or service provider would have any justification for artificially creating some incompatibility that only serves their goals instead of mine.
It is for me. And there is nothing important on my phone so it is not a huge concern.
And why do we have to accept that phones just turn into garbage after a few years? Even my old 2009 laptop* still runs an up-to-date OS but my 2016 phone is obsolete after 2-3 years?
* but I have to admit that the hardware is quite slow
> And why do we have to accept that phones just turn into garbage after a few years? Even my old 2009 laptop* still runs an up-to-date OS but my 2016 phone is obsolete after 2-3 years?
It is because computers run one of a few available OS's. The OS is being maintained by the distributer (MS, Apple, Google) and your hardware is good as long as the drivers are still receiving updates.
Phones are different because even though everyone only uses iOS or Android, every Android manufacturer puts their own layer onto Android, so Google can continusously update it but the manufacturer might not. Most companies only maintain their phones for about 3 years, giving a significantly reduced lifetime than computers.
It still works fine, from from a security perspective, keeping the phone without patch support is a bad idea.
I mean, I know why it happens, but that doesn't mean I'm happy about accepting it.
It is really annoying how every vendor cobbles together a Frankenstein abomination of a kernel with just the right drivers and patches and good luck trying to run anything else. But I also understand that they (except maybe for Google) have no interest or incentive to clean up this mess.
Even if your phone really has no access to anything that you wouldn't want leaked (although most people would object to a third party having access to their phone calls, text messages, and location data), a compromised device is still a great way to launch attacks on other devices including taking part in botnets. None of this is an objection to old devices, mind; I'm a big proponent of running new software on old hardware, but the security patches are important.
Interesting, can I still use the Play Store with mircoG?
I already run LineageOS, but with Play services. I would like to be able to ditch Play services, but still need the Play store for things like my banking app, and an app to log in to government services.
You can install apps from Play Store with Aurora Store, which is in F-Droid.
I'd say it's a toss up whether specific apps will definitely work. But if they don't I'd recommending segmenting between different physical devices, and making the one that lives in your pocket as secure as possible. It's likely that you don't need to run banking and government apps on the same device that's privy to your movement.
In my country (Belgium), mobile payments are a big thing using the national payment network (Bancontact). Lots of small shops don't accept cards and only do mobile payments because of the lower transaction fees.
These mobile payments only work with your banks app or a dedicated app (Payconiq).
My current approach is to put all these apps in my work profile which I can turn off (using Insular from F-Droid). Only apps for which I need background activity or instant notifications (Signal, an open source podcast app, and sadly WhatsApp) are installed in the main profile.
Sadly, this approach still requires me to have Google services always running in the background for a functioning Play store in my work profile.
I've heard something about using Play Store proper with microG, but obviously that's very flaky. Aurora Store is the way to go.
And banking / government apps tend to work in Europe (at least the ones I have tried). Notable exceptions for me are Revolut (shame!) and McDonalds (who knew microG is the healthier option haha). Of course, in the US things might be vastly different.
Yeah. It's either that or state-supported systems (UPS in India, SBP and MirPay in Russia). Cryptocurrencies could be the answer but governments would never let that happen I think.
Even in the US, the limited hardware support is a barrier right now, especially with having to find a unit that has an unblockable bootloader.
But it's still doable for many people. I most recently bought a second-hand Pixel 6a for GrapheneOS, and BYOD it to an inexpensive no-contract plan.
Pixel 6a units with unlockable bootloaders are currently $235+ on US eBay, which is less than new current Pixels and iPhones bought outright, but more than many lower-end devices, and more upfront than people pay for contract plans that toss in a phone.
It's very interesting because 1/4 of Pixel 6a would be around 80 EUR... so I wonder about your environment and what workarounds you have for these problems.
So I'm in India, and pixel 6a seems to be of 30999 Rupees on Flipkart (amazon like online store)
The device I use regularly is moto g14 which is at about 8500 online, with discounts can go for 8000.
Honestly there is no work around as the moto g14 comes with a 4gb ram and 128 GB internal storage, 6.5 inch screen and 5k mah battery, it can do pretty much anything.
I've just started working full-time after college and now I earn more than enough to buy pixels or iphones but currently the money is going on other important things that were pending
It's still based on Android though - so isn't it building on sand ?
Isn't it better to focus our efforts on projects unrelated to Android, especially since some viable ones have appeared recently : Librem 5 and especially PinePhone.
Banks in many countries require an Android phone for online banking. Even if they offer an online-banking website that you can access with any browser, you may still need the Android app for 2FA. This is one of a number of reasons why the PinePhone or Librem is unfortunately not a daily driver. Also, things like paying for parking or interacting with public services are moving to Android apps in some places.
I was given a hardware device by my bank to do my online banking. If they want to move to smartphones I expect them to provide me one of those as well.
One of the very reasons banks have been phasing out hardware tokens (and code cards) is because they represent a cost. Of course the bank is going to put the price of the smartphone all on customers.
When you get to the lowest level, technically, the banking apps want to store files on the phone that the user can't access.
This means that something like lineageos can run banking apps, if the phone tells the banking app what the app wants to hear. It's fiddly but can be done, and in fact it is what I do on my private phone. It also means that a platform that fundamentally gives users the right to read all the files on the phone (ie. to make a complete backup) will not be supported by banking apps, because such a platform will not let the banks do what they think they need to do.
I think this implies that such platforms can't grow beyond a niche within a niche.
While I can understand Google and the banking apps' actions, it doesn't make much sense given how PCs having root is hardly every a concern for a bank. If you can do something bad with banking on a rooted device, it's probably doable on a computer too.
Oh, banks are definitely concerned about PCs having root. There are even some banks that have removed their online banking websites entirely (except, perhaps, for corporate clients) and require customers to do everything through the Android app instead.
My bank and my wife's bank both require 2FA. On the app, one of the Fs is having physical access to the device (the phone/app, which was vetted by the bank when the app was installed). On web browsers, these two banks don't offer any factor like that.
In end effect, the banks treat a non-rootable device as suitable as a "something you have" factor, but will not treat a rootable device as that.
In some countries one no longer has that possibility. Not everywhere has a range of banks to choose from, sometimes mergers have resulted in just a handful of banks for a country, all of which enforce use of an Android app.
Oh, it’s fsflover, the poster with the Librem idée fixe. Haven’t noticed you here in couple of years. Your comment elsewhere here about GrapheneOS not requiring much less effort to daily drive is way off. GrapheneOS runs banking apps and, in countries that legally enforce use of certain apps for ID or payment, those apps, too. Zero hoops to jump through. Meanwhile, a Librem phone (or a PinePhone) will not work.
Of course, in some countries you have lack of important freedoms, which says a lot about their state of democracy. However if your country gives you a choice, consider using it in order to not lose it.
It's nice to know that I'm somewhat famous. I never suggested that running banking apps on GNU/Linux phones was as easy as on Android forks (however, reportedly it is possible for some banks). I meant other daily tasks of course.
The country I live in has strong consumer protection laws. Banks deal with it by judging risks: That which is too risky is what they won't offer.
My bank does not offer Western Union transfers, for example, because there's been too much fraud. And does not accept root-platform devices as 2FA "something you have" factors.
Liberty or consumer protection? Your choice, really.
Arguably, typical Android is less secure than a Linux phone, since it constantly calls home, runs a ton of untrusted apps and often has a short software support time.
One of the draws of GrapheneOS is that, since Pixel phones have a relockable bootloader, that Android image will pass SafetyNet. While Google Play Services is typically required by banking apps, on GrapheneOS you can run Play Services in its own sandbox.
They might, but app for my bank works happily on LineageOS.
Same eg. with app for a local 2nd hand site, which on startup complains that it needs the Google services... and then runs without issue (only appears to use those Google services to pinpoint the phone's location).
Imho this is 1 more reason to put alternatives like LineageOS on a phone: the more users on those, the harder it is for app developers to drop that usergroup for... well, reasons.
Most reject phones that don't pass SafetyNet. There are ways to pass it with unofficial images/rooted phones, although I'm not sure for how long they will keep working and I think you still need Google Play.
As I said, for many banks, in order to log in to the bank's website on a laptop, you need to receive a 2FA code sent through the bank’s app on an Android phone.
I’ve found that many times when a service says this the system will work with any OTP program. They just don’t tell you specifically. Maybe they don’t know, think it’ll confuse, and/or prefer you didn’t.
Here (in Russia) typically SMS is used as a second factor and you don't need an app. Requiring to install an app is basically requiring to buy a modern smartphone only to be able to log in.
It's the regulation that should focus on creating the foundations of alternative systems, not the phone manufacturers. If a bank doesn't have a website, or a govt app doesn't have a website equivalent, then Librem & co is already out of the picture, from the everyday usability standpoint. To provide the citizens freedoms, service providers need to be forced to use open standards, like HTTP & HTML, to serve an standard interface that has all the necessary functionality. No matter how many grassroots initiatives we have, if this is not provided, they are automatically all out of the race.
So really, if anything, I'd like people to focus on regulation.
As an owner of both a Librem 5 and a Pixel 6a running GrapheneOS I can confirm that the latter has been much more reliable and has taken substantially less work to get to the point where I can daily drive it. The Librem 5 is not there yet, and while I would like it if it were I'm not currently very optimistic about that.
In the past year, I have used a pinephone+keyboard with Arch, a oneplus 6t with postmarketOS, and a pixel 7a with GrapheneOS. In my opinion, Graphene is significantly easier to daily drive because the applications are designed for a phone's form factor.
The biggest one is the Firefox ESR build from the pmOS repos with the custom userChrome.css that tries to fit everything onto the Pinephone's screen. I pretty consistently encountered pop-up prompts (for example, in the built-in password manager) that ran off the edge of the screen in both portrait and landscape. Zooming out sometimes helped, but then the text was unreadable and the buttons too small to press. There was also no forward button in either the overflow menu or the nav bar. The Phosh settings app had similar problems.
There's some hiccups when you first set GrapheneOS up, but after that it is as smooth as, and blends in with, any other Android device. I've never used Librem or PinePhone to comment on them
… as long as you trust the developers, and their ability to secure themselves, of course.
I mean, if I was a three letter agency, sneaking into some GrapheneOS developer’s basement to add a camera to record his keystrokes would be the easiest trade ever for all the paranoid people using it. It’d be way easier than sneaking into Apple or Google. Might even be worth violating internal law to do it; because getting caught is extremely unlikely, and forgiveness is easy.
Edit: Also, don’t forget that, if you should get arrested, “he used GrapheneOS” is 100% going to be used against you in court. You might use technical arguments or principled reasoning, but that doesn’t resonate with juries. Unfortunately, using extra-strong privacy tools is perfect for framing you as a criminal.
B. The NSA hasn’t stolen the signing key and isn’t feeding you customized images?
True, you can’t verify that with iOS or Android either. I am saying though that trusting my security because it’s safer… by being in some guy’s garage feels like an odd trade. One that shouldn’t be casually ignored, at least.
If your threat model for your phone includes the NSA as an adversary, maybe you shouldn't be using a phone at all.
For the rest of us, who just want to be violated less, we have to choose our poison. The corporate options are shameless violators, and the alternatives are gambles.
Even if this was true, it seems harder to compromise a single paranoid coder working out of his garage than any one of 1,000 corporate developers, their workstations, or associated networking, or servers in any (even high-security) company.
Weakest link in the chain and all that. There are just a lot fewer links in the chain. More likely that a vuln is introduced as part of Android and makes its way into GrapheneOS than directly into a tiny project.
I’m saying that, if people who use it aren’t careful, they could end up like the university kid.
There was a university that received a bomb threat over Tor. They found one student who used Tor on the network at around the right time, and because he was the only Tor user, he’s in jail for a very, very long time. That kid was at Harvard, his persuer the FBI.
If you are going to use GrapheneOS, don’t be naive and think it will make you agency-proof. If anything it probably flags you to their attention.
Why are you under the impression that since I want to use a more secure OS than Android or the equivocating Apple that I must be wanting to bomb a university?
Absolutely not. But if anything bad happens, or you are attending a protest and suddenly getting investigated for rioting, you might have second thoughts.
I do not condone or endorse illegal activity. That does not mean your use of GrapheneOS might not be used against you if you use it at an inopportune time. There is currently almost no discussion online about this, so it’s worth a mention.
Edit: I forgot to mention some obvious context in my head. Think journalist, in Russia, using GrapheneOS for “safety.” In such a situation, probably a terrible idea.
The kind of over-cautious cowardice you are displaying is what drives societies to become conformity-enforcing police states.
"You're painting your fence beige instead of white? Are you sure that's a good idea? What if there's a crime committed in the neighborhood - beige-fenced deviants are the first that the police will look at!"
People have been trying to stick Linux and the AOSP for the same reasons, but it's quite obviously never worked. Linux and Android are not popular because they are superior security tools, they are popular because they are free and accessible. Governments play poker, they don't want you to know what their hands look like. Condemning any particular software is the equivalent of folding their hand; it's an admittance of defeat. It won't happen unless they face a hopelessly equipped adversary, like Huawei.
GrapheneOS is likely not a secure system, but neither is any smartphone OS. I'll compliment anyone taking steps towards transparency that makes governments and global-scale corporations tremble at the knees.
I remember seeing that news on arstechnica or some tech publication I was following at the time.
It actually put a little fear in me because I look around and not a lot of internet users in my small hell hole of an open prison I call home and i was like "dude. You're like a alert beacon screaming here is a tor user, check him out".
I was using tor at the time and that is the last day I used it because this use case fit me somewhat. Not for sending bomb threats but because the nature of surveillance, I am a target of the government so any outlier gets flagged pretty hard.
It doesn’t matter who is coding it, it matters who owns the signing key that will make your phone recognize the authenticity of the software. And, of course, if anyone else has it.
Google wants more control by projecting itself as infallible trust authority on device.
Its standards are so high that if you are ever on other side of its automated tools first response usually is blame user rather than hire any human support team to investigate issues even if they may be coming from its programs. And then the reports keep coming on how it was error or mistake due to scale of operations its just rounding error. Next time it will be different. Trust us we are the only ones who knows this or able to do it right even if we sometimes do make mistakes you should only let us do it. No one is better than us.
Related to this, I really dislike how Google Play acts like it owns your device. Installing an apk? Hey, I'm Google Play, I exist, how about turning Play Protect on?
Looking at AOSP, the logic that allows something like Play Protect to work is at [1]. It looks for system apps that can handle the ACTION_PACKAGE_NEEDS_VERIFICATION intent, which is the Play Store app in this case. Looking at the Play Store's AndroidManifest.xml, the PackageVerificationReceiver component is what listens for that intent.
With root access, it should be possible to disable just that component without breaking other functionality by running:
Those messages are very annoying. Play Protect periodically tries to get you to turn it back on, once every few weeks or so. I really wish there was a way to turn that annoying nag off.
Glad I have it off though: KDEConnect is great, I use it all the time to transfer files and send text messages from my computer.
Rather, it's a benefit of an unlocked bootloader; you can root a device with a locked bootloader, and you can use an unlocked bootloader to install an unrooted OS (or, for that matter, you can unlock the bootloader without rooting, depending on the device).
> Unless you mean as a right, without needing to root? I'd disagree (from a corporate/warranty perspective), but I'll bite
Why? I mean, sure, if the manufacturer can show that damage resulted from the user modifying the device then fine, but otherwise there's no reason for modifying software to affect a warranty on hardware.
> otherwise there's no reason for modifying software to affect a warranty on hardware.
I think you bring up a really good point. Except for extreme cases, such as a software that is designed to be self destructive on the physical components in which it resides, the hardware should mostly be unaffected by the software. Mostly that some components get used more or less than they were before, changing efficiency of some functions. Then we get into the grey area of whether or not the unorthodox use of components caused damage.
> if the manufacturer can show that damage resulted from the user modifying the device then fine
Here you are putting the burden of proof on the manufacturer, which seems a little unfair. If anyone can make a complaint (make use of warranty), and you the manufacturer are guilty as charged automatically unless you can prove the software caused the damage, then there will be an insurmountable amount of work to thoroughly review all software not sourced from one of your already-vetted approved sources.
Then again, if burden of proof falls on the accuser (warranty holder), it is a catch-22 because you can't prove that a software is without any issues. Companies are constantly creating patches not because they intentionally want to have a fault until x day, but because they genuinely thought the software was good until y vulnerability was found/exploited.
I think this is why companies take the 'any usage outside these specific approved usages voids the warranty' approach. In application to this conversation, this means while you may change your OS, it doesn't shock me that a manufacturer wants to keep their hands away from those consumers
I think it's fundamentally more reasonable to demand proof that something did cause a problem, rather than that it didn't cause a problem, because you can't prove the negative. And yes, of course companies would like to never be liable, but keeping them honest is why we have laws around warranties.
Do you think the ability for the owner to root is not worthy of protections? It seems odd to draw that distinction when they are two sides of the same coin
Takes about 9 seconds to load, then redirects to a nitter instance. Does it benchmark all the nitter options out there and then redirect you to the best result? The farside.link homepage doesn't really say
I swear on God. Just 2 days back playstore decided to auto update my installed apps. The thing is I have them disabled by default. I cancelled the update, switched off the wifi. But once I turned it back on, it started auto updating again.
I think that line has been blurry (blurred?) for a long time. Is it ill-intentioned when Apple slows down charging with non-authenticated cables because "they might be shitty and high currents can cause a fire"? If companies can hide behind good intentions, they will. And I'm not even sure such intentions originate from human beings, anymore. Not from individuals, at any rate.
I can't really comment on that but what I know is that play store also has KDE connect available and this issue is not happening for the people who got it from there. Perhaps it's someone who has some sort of play signing enabled with uploading unknown apps and the signature difference between play and fdroid versions might have created a false positive.
That's my bet as well, the signature difference probably makes it look like one of the many fake APKs people often download from piracy sites and malware infested file sharing sites.
Unfortunately, Google doesn't let you upload an APK with your own signature to Google Play anymore, so the devs can't really offer any solution. Best I can come up with is downloading the signed version from Google Play and uploading that, but that'd make updating the app wirhout uninstalling impossible for most of their users. Same with offering the free version as a different package name as the proprietary version, existing users would lose updates.
Google needs to fix this because they're basically killing every alternative app store this way, which probably violates the DMA/DSA law (whichever applies here) in quite a major way.
I don't use KDEConnect, but quite a while ago I got FUD about battery life from Play Protect concerning F-Droid itself. Never mind that F-Droid has never used more than trivial amounts of battery.
If they installed a keyboard with the same app id (e.g. com.google.[...]) F-Droid would try to update it and ask the user to confirm the update since F-Droid can't update an app that was installed by another app store.
I'd be curious which keyboard this is. Maybe Gboard took over the app id of the previously foss android keyboard.
PS: I recommend F-Droid Basic which supports silent background updates on any Android 12 without root.
The app it wanted to install was its AOSP, it's likely that I was using another AOSP build at the time but I'm not sure. I've used either AOSP or gboard almost all of the time, so it's 99% likely to have been one of those two.
The AOSP keyboard was available on f-droid when I installed f-droid, and the f-droid app kept nagging me to replace the keyboard app on my phone with the debloated AOSP version from f-droid. Debloated, in this case, meaning without support for minority languages such as mine.
There's nothing intentional there. If the keyboard you had installed was also distributed via F-Droid using the same APK identifier, then F-Droid just detects an update since it's the same app.
To prevent this (it can happen with most apps distributed both on the play store and F-Droid) you can tell F-Droid to ignore updates for a specific app.
Is this proven? Some days ago I saw the reddit thread which is actually the first and only reply in the link and in that reddit thread there is no conclusion yet on who is actually affected
The reddit thread makes it pretty clear that KDE Connect installed through third party sources are what's getting uninstalled.
Nobody with it installed from the play store mention it being removed, and though some users that got it from F-Droud mention it still being installed, there are several possible explanations for that. Like me, it wasn't removed on my phone but it turns out I disabled PlayProtect at some point.
Even if it is like you state, link directly there, to the exact posts that prove this and not in an intermediate site. HN is supposed to keep a higher post standard
