I’m frustrated. I’m a long time fan of Motorola. Their phones have been pretty simple and easy to remove junk apps. Recently I got an update that forced perplexity on my phone.
rooted
Root is always a security risk, you really should not. (GrapheneOS comment (on Reddit) about rooting.)
out the box
None, probably. Refer to Bootloader Unlock Wall of Shame instead to check which companies do not restrict bootloader unlocking. See here for a list of devices where the bootloader can be locked with custom AVB Keys.
security risk
All those rooted concerns are true for desktop Linux / MacOS, and they still ship with sudo. If I can’t rm -rf the root partition then its not really my device.
The bootloader wall of shame is nice.
Android does not have the same security model as desktop Linux. I made a comment about this above (which you probably can’t see due to .world being defederated with who I replied to), but if you don’t want to go to my comment history, it’s summed up as three or so main issues.
Rooting breaks OTA updates since it modifies your partition hash, meaning rooted users tend to leave security holes open way too long. Android does not have a package manager for you to be able to update these issues individually.
Android does not expect users to have root access, so they do not even consider it in the design. Android sandboxes apps, and apps can only generally have permissions that you grant, with no direct access to the kernel. However, rooting adds an entirely new attack surface for which there are no protections whatsoever. Desktop Linux, on the other hand, does expect users to need root level access from time to time. That’s what sudo is for, but you should not confuse this with switching your user entirely to root and doing everything as root. There’s a reason that’s not recommended on Linux: it’s dangerous. The same thing applies to Android. On top of that, Linux has other tools and protections designed to make running as sudoer safer, and Android has none.
Finally, it breaks your ability to use proper verified boot. If your system partions silently get malware installed, there’s generally no way for a user with a rooted phone to notice. Verified boot protects against this, but because rooting (along with whatever else you’re running as root) changes your partition hashes, it will either stop booting or revert your changes.
If mobile Linux ever takes off, it will likely be very similar to desktop Linux and be designed with root in mind.
Good guess about the federating problem. Thats a good reminder for me to change instances (was on lemm.ee before it died, .world was my backup).
OTA, while a fair point, again sounds to me like a technical problem, not a fundamental design problem. E.g. disable the partion hash check so OTA can be installed in a timely way.
Linux has other tools and protections.
- If there are protections they’re at the system level (not app space). Which means the ROM provider could/should add those same protections as Linux instead of saying “you dont need root, stop asking”
- AFAIK there are, unfortunately, basically no protections on Linux. Sudo can be trivially shimmed (add malicious exe to PATH) without even having sudo permissions, then the next time user inputs sudo an attacker would have their password. Its bad that its so easy, but its a double standard to say Linux is fine but an (up to date) Android with root is vulnerable.
OTA, as of right now, needs to hash the device to prevent system corruption. I don’t think it’s a very simple problem to solve, or surely there would be a ROM out there that does fix it with root. A better fix would be a package manager, but that’s not going to happen with AOSP.
Regarding #1, it’s fundamental to AOSP, and not any particular ROM. Similar to the OTA issue above. It’s not just graphene (which, technically, you can root fyi, but I really would not do so, as again it defeats the purpose of running a verified boot secured phone).
#2 is debatable, because it’s also highly dependent on the distro and configuration. As an example, immutable distros (which are actually closer to Android than non-immutable distros) make it so sudo/root isn’t needed very often, if at all. Fedora CoreOS, for example, can run package updates on a schedule without user intervention, use rootless containers, and do verified boot. It can be deployed from a single file and validate itself after the fact, meaning a user would never be prompted for a password at any point. Obviously that’s not a 1:1 because it isn’t made for PC usage, but other distros based on Fedora Silverblue and the like can be more secure than standard Linux for similar reasons. Everything is generally sandboxed (flatpaks and containers) and root is rarely, if ever, required.
That being said, if you’re not concerned, there isn’t anything stopping you aside from your phone’s manufacturer, which I’m sure you’re aware of. I’m fine just knowing that I could do it, and much prefer the security benefits of verified boot and proper sandboxing above all else. I don’t trust Google to properly patch zero days related to rooted phones, let alone patch the ones that affected non rooted devices.
Immutable OS’s like nix and fedora silverblue still have sudo, they can still rm -rf /. If they can do it and maintain security, then Android can too.
I agree both the OTA and safe way of doing superuser requests could be heavy technical work. My bigger point is people who manage ROM’s shouldn’t demonize having full control of devices we own. Root can be done safely. Its not an inherent security risk, its just a technical problem waiting for a technical solution. “Just accept you dont need it” is not an acceptable response IMO.
Do you need root? It’s a big security risk, for multiple reasons.
You can always just get a used pixel (no further money to Google), and install a custom ROM that allows your bootloader to relock after installation. I personally prefer Graphene for this, but I believe Lineage also allows you to do so. They both have no bloat from the start, and GOS has sandboxed Google Play and Lineage has the ability to use microG iirc.
GOS can be installed via chromium based browsers, even from another phone. Security wise, there’s nothing more secure at the moment.
Why are pixels so popular for this?
Pixels are (currently) the only phones that allow for all of the following at once:
- Proper verified boot
- Bootloader unlocking (this is most important for any custom ROM installation, regardless of ROM)
- Hardware memory tagging
- Full hardware isolation
- Hardware key attestation
- Ability to disable USB data (and also USB entirely) at the hardware level
- Everything else on this list
In short, it’s simply because Pixel currently has the most hardware level security features of any Android phone (on top of bootloader unlocking), for now. The Graphene team is allegedly in talks with an OEM to produce a phone specifically designed for it, which may be just as or even more secure. Time will tell.
I feel the need to mention that I’m not trying to shill for Graphene and especially not Google. Depending on your threat model and goal, Lineage or similar might be just fine for you. I just don’t think there’s anything more secure than GOS at the moment, and if that is important to you, along with minimizing bloat, it’s a great choice. I do highly recommend avoiding root and instead just get something that you can unlock the bootloader for, and then install a degoogled ROM. Just make sure you don’t accidentally buy a permanently locked phone, make sure it says unlocked somewhere in the listing.
That’s what OnePlus, Nothing, and FairPhone are supposed to be about.
For privacy, I like my iPhone, but I can’t really recommend them anymore. Even with “Apple Intelligence” the keyboard is hilariously terrible. It gets a few things right and I’m wondering more and more if the ecosystem is worth it. But throwing money at Google somehow seems worse.
