30 comments

[ 3.8 ms ] story [ 80.3 ms ] thread
I've been using Lineage+MicroG for the past several years and I won't buy a phone that isn't supported by it going forward: https://lineage.microg.org
This rom build from microG may not even be needed since LineageOS now supports signature spoofing (as of a few weeks ago).
Official builds before this could still be made to work with microg using the "microg installer revived" Magisk module. That's how I installed it on my current phone while still getting the benefits of more regular updates.
I've always wanted to try Lineage, but I've never owned a device supported by it. I tend to use Samsung. And for some reason, it only supports devices on models/years I've skipped and then stopped at the 10 series. Guess it wasn't meant to be.
If memory serves, that's less of a Lineage problem and more of a Samsung problem; they tend to be hostile to user modification (locked bootloaders, etc.). Or at least, that was the case last time I looked at them.
Shout out to LG as well for sending their final phone to E-waste in the same way

The LG Velvet is the only "flagship specification" phone I could get in Australia with 5G, a MicroSD card slot and a headphone jack!

3 weeks later LG killed it citing the "other big unnamed Korean electronics giant taking all our market share" and then later promising "2 years of updates guys, we promise!"

At least if we could unlock the fucking bootloader we could port Lineage or Graphene or something to it. But (at least on EU derived models like mine) that never happened

Reluctantly on a Pixel 7 Pro now

I agree - older Samsung devices used to work well with LOS thanks to the unlockable bootloader. My last Samsung with LOS was a Galaxy Note 3 - it seems that Samsung devices after that became increasingly unfriendly to modifications. I haven't purchased Samsung devices since because their stock firmware is unpleasant (forced bixby, coerced signup with Samsung in addition to Google, uninstallable garbage, etc.)
True! But an example is I have a perfectly good Samsung Note 8 that isn't being used. But Lineage only supports Note 9 and 10.
It's a shame, because I really like the Samsung build quality. I have ran Lineage on the S4, my first Lineage phone, then S7, then S9 was my last. They were a joy to hold in hand, and, I felt, a testament on how good manufacturing got in my time. But, as many others, I wanted a specific OS to run, and that needed a specific phone, and so, I'm using GrapheneOS on a Pixel 7a now. It's a mixed bag, I definitely feel the step down in some respects, and the step up too at the same time.
Over the last decade or so I extended the useable, updateable life of several ASUS Android phones using LineageOS (née CyanogenMod). I'm now a GrapheneOS Pixel user, but I'd use LineageOS again on suitable devices as needed.

If you're thinking of using LineageOS, make sure to look up MicroG to see if you can or cannot live without that additional set of apps and libraries:

https://microg.org/

I would love to use an open system on every smartphone but: Can I use my banking software with all the security bells and whistles?
> Can I use my banking software with all the security bells and whistles?

Most custom ROMs(including official LineageOS) are as secure, usually even more, than OEM ROMs. There is just one threat model where it is weaker, which is the evil maid. But it is safer on all the other ones (the evil metro wifi, the evil video, the evil app...). (and personally I take the metro everyday, while taking my shower while I have a maid home just doesn't happen)

As for whether banking apps will work, it's entirely dependant on whether your back is trying to serve their customers or not. Most banks I use work just fine on custom ROMs without hacks. But for instance Google Pay is skimming down on costs, and users pay the price for it.

From a usability standpoint, the reasons don't matter, many of the banking apps are unusable, full stop. This is something that someone has to reckon with, if they want to venture into the custom OS land.
> Most custom ROMs(including official LineageOS) are as secure, usually even more, than OEM ROM

I definitely don't think that's the case. I'd check out the sections on microG and custom ROMs here: https://madaidans-insecurities.github.io/android.html (they're very knowledgeable, so usually factually accurate, but often frame or evaluate things in a very biased way IMHO, so be sure to evaluate the verifiable facts they state for yourself, and your own threat model). They're way more open to exploitation and far less secure than OEM ROMs, typically because of the way they have to pry open security stuff to get their various hacks to work. They are typically much better on privacy, but having your phone, from which you do all your communication and banking, and which has a dense cluster of sensors and transmitters that follow you wherever you go, be more open to exploitation by any random hacker or piece or malware seems like a bad idea to me.

OEM ROMs that passed Google certifications and everything have been found in the past to:

- Send the content of your clipboard to the internet (OnePlus)

- Disabled SELinux on boot (Asus)

- Allowed any app to be uid 1000, and exploit known for years (Samsung)

- Ignore Linux policy and just picked security-looking patches. And got pwned repeatedly by simply looking at LTS patches. (Google)

As for madaidans-insecurities, they are extremely biased.

Just mentioning microg:

> which allows apps to request to bypass signature verification.

There is EXACTLY *one* app (k k k, two because of Play Store fake too) that bypasses signature verification, and you can VERIFY, which app does it, and WHICH signature it fakes. LineageOS integrated their own microg/fake signature mechanism thanks to Google anti-freedom policy, and you can review their own integration that is even more restricted than what I did (which already is infinitely more secure than what madaidans-insecurities mention): https://review.lineageos.org/c/LineageOS/android_frameworks_...

The final comment in the microg section basically sounds like "oh yeah, that argument could be completely wrong, meh"

> OEM ROMs that passed Google certifications and everything have been found in the past to

That's really good to know to keep things in perspective! Thanks for taking the time to bring that perspective. Although I would say that it seems like LineageOS kind of does all of those kinds of things at once, whereas OEM ROMs might do one or the other each? Or am I wrong?

Edit: also, I can't find any info on your ASUS claim, and the OnePlus one seems misleading (it's not some vulnerability or passive background thing that just broadcasts your clipboard, it was an app you could electively use to send clipboard stuff to other computers).

> There is EXACTLY one app (k k k, two because of Play Store fake too) that bypasses signature verification, and you can VERIFY, which app does it, and WHICH signature it fakes.

I'm not familiar with Lineage OS — does this mean that you know only one app will ever do this and can verify that, so it's just one specific exception to the rule, or is it just that the spoofing was made possible for just that one app, and only one app is known to do it, but any app could without your knowledge in theory?

> As for madaidans-insecurities, they are extremely biased.

Like I said, their factual knowledge is generally useful, but their framing (including context, so you can get some perspective) and analysis is usually wildly biased IMHO. I wonder what their damage is.

> I wonder what their damage is.

Torvalds' low opinion of on security researchers in general comes to mind.

Worst case you can use laptop.
Counterpoint: My bank, which has next to no physical branches, no longer permits depositing a check from a desktop. I must either use the phone app, or mail the check in.
Worst case scenario change banks.
The new banks these days straight up require an app from the Apple or Google stores for you to have an account.
This is just anecdotal, but LOS+migrog on my Oneplus 7 Pro hasn't failed on a banking app for me yet. Sometimes the setup is quirky, like needing to uncheck "remember me" to log in on Fidelity's app, but the app then does work. Fingerprint unlock works too.
Would be nice if all phones were supported and not locked (just like on pci can install Linux or Windows in version / distribution I choose)...
My kingdom for a root / exploit for >=2020 kindle fires that would allow me to put lineageos on my kids' devices!
OnePlus 6T with Android 14 is still working like a charm, this even beat out Nothing Phone 1 in getting the latest Android update
Wish there was a phone where the camera on LineageOS is as good as the stock. On my Samsung Galaxy S7 using the camera on non-stock in painful (takes seconds to focus, when it focuses at all).