I’ve been a long time Android user and have been flashing custom roms on older phones when they end of life from their manufacturer to keep them up to date.
I started thinking… how far should we trust custom roms?
There’s a whole other debate how much you should trust the OEM roms as well but right now I’m focusing on custom roms.
Sure, they’re open source but I’m not sure exactly how many eyes there are on the source code itself for a given rom. Many of them are “just” tweaks of some bigger more basic rom too, like Lineage OS for instance, then there’s usually just one guy managing his particular rom.
Someone could theoretically add some nasties in there without people noticing if the code isn’t vetted.
Sure, you could say that that’s possible in all open source projects, like Linux Distros and so on, but there we have a ton of people working on the code so there’s a much higher chance of bad stuff being found.
I’m not necessarily saying I don’t trust Lineage OS or other roms, I was just hit by a train of thought and wanted to see what you guys think.
For my part I’d give more credibility to LOS than roms based on it that are managed by just one or a few persons for instance, but still.
I don’t know. Was I suddenly hit by the paranoia stick or are these valid concerns?
Thoughts?
The issues with trust are an absolutely valid point. But the fact that I trust a random group of people online more than the manufacturer is a dire state.
It’s hard to draw an exact line somewhere too. You have to compromise or you’d end up worse than Stallman and Snowden combined. All technology ends up off limits then but still. Avoiding obvious and actually avoidable pitfalls is a good practice I think.
Defining and finding those pitfalls on the other hand…
This is in fact what’s wrong with all of it. Our safety simply is NEVER the prime goal of any company. It’s money. And with these groups like LineagOS it’s the user again.
I generally don’t trust custom roms you can get from individuals in XDA unless they have a really strong reputation. If they are supported “officially” by someone like LineageOS it might be safer.
I always went safer by compiling it from source.
It might be a bit safer… but you still have to trust the source?
But yeah, I flashed an official Lineage OS nighly that I got from their own site… It still bugs me though and I kind of wish it didnt. :P
LineageOS roms are probably as safe (regarding bad actors) as they can get with custom ROMs.
They undeniably have declined in popularity, partially because Stock Android now contains lots of features that used to be exclusive to custom roms and partially because those people more privacy minded have moved to alternatives like Pinephones and such.
True, these days I wouldn’t really flash a phone that’s till supported… but when they hit end of life it’s another story. Using an unpatched android phone isn’t exactly optimal.
this is the primary (official) reason why most banking apps require an unrooted device, and check that the bootloader hasn’t been tampered with. they don’t really care what you do with your phone, but a custom ROM doesn’t have to comply with the usual official checks and balances, and so theoretically could be malicious.
the bank “trusts” the official OEM rom, because the OEM rom belongs to a company that can be “controlled”. ie. pressured into ensuring apps are safe, etc.
the bank doesn’t trust the open source rom, because it isn’t “owned” by an entity that can be controlled.
a reason lots of companies don’t like open source, is because"who do you sue when something goes wrong?". closed source isn’t any safer, but at least you know who to sue when it breaks.
It is a fair point to be honest.
Closed source could be a bit safer due to liability I suppose?
If they were to do something really nefarious and would get caught they’d get sued to pieces and probably lose most of the reputation?
Sure, a shady rom would lose it’s reputation as well but that’s about it. There’d be new ones out pretty quickly.
And for what it’s worth… I don’t think they’re doing anything shady… but still.
I mean, I use Linux on my main machine at home. That’s open source. I do trust that though…
This all struck me after flashing an old phone I had laying around (My main phone is supported for 2+ more years) and then feeling like… do I want to use this now? I got a slightly dirty vibe from in. :P
Being security conscious is annoying at times…
Genuinely I’d trust random FOSS stranger on the internet before I’d trust Google, Samsung, Apple, etc. It’d be a lot of work to be the sole maintainer of a LineageOS distro that only functions on one specific phone just to try to steal the data of the maybe 12 people who are going to install it.
That is a pretty good point to be honest.
And usually the Dev or the Devs grandma uses the ROM themselves. It would be alot of work to be insidious and make one version with harmful code, and one that is safe… For twelve random people from somewhere in the world.
Custom roms do improve security of an EOL device, though you’re missing out the vendor security patches which aren’t open source. You can read this discussion here.
They do yeah, but they could technically include some shady stuff as well.
I don’t know. I do like custom roms since they revive old phones. But I’ve recently started feeling a bit iffy about it to the point that I’d rather get a new phone that’ll be supported for like 4 new years or something.
I’d say keep digging. I’ve never gone too deep into this, because I don’t have a device that can be rooted. When I do venture down this path I tend to come across these great revelations; “Ah ha!” moments, where I see accusations of telemetry and developers being called “shills”. So far, they have all turned out to be trolls and personal vendetta situations.
Honest researchers looking into this have probably published articles, I’d have to take a look since I do have access to those through my work. Then there are opinionated YouTubers and people with neocities sites…
I think these are valid concerns, and they are the same concerns many people have with Open Source software: who do you trust, big company with infinite resources, or a guy with a Forgejo?
The guy on Codeberg or Forgejo might have less resources to hide something, and probably wouldn’t dare. The bigger the companies, the more people involved with the resources to make tracking software look like regular data requirements.
If you employ something with hundreds of hours of code you’re less likely to see backdoors. Look at a simple program and any kind of odd insertion stands out immediately.
Yeah but how?
I mean, who’s going to verify the code? And then there are new nightlies every day. Sure they don’t contain that many changes, but you’d need to monitor them, for every rom on every phone. Well, maybe just for the one rom and the one phone model that interests you but that’s still not feasible if it’s not a paid full time job. If someone were to do that on their spare time they wouldn’t have much of that left :P
I used to play around with custom ROMs back in the Nexus days but I use my phone now for so many banking and other security - focused things nowadays that I feel it is just too risky to do all of that on a device that uses a non OEM ROM.
Maybe I’m too paranoid, but phones have gotten so complex today that even highly technical users have trouble ensuring that every aspect of their device is safe unless it is locked down to some extent.
That’s basically where I’m at as well.
Ignorance is/was bliss… I used to not care as much about security concerns but these days I’m a bit more paranoid when it comes to IT security overall.