This is the reason why I ended up with a non flagship, mid-tier, moto phone that allowed me to unlock the bootloader and root. Headphone jack and microsd card support was also a very high priority, and the reason why I didn't end up with a pixel. I want complete control over my device. With recent Android version it seems like Google is locking down the OS and making it closer to how iOS is.
It's becoming harder to find good phones that allow bootloader unlocks and rooting while also being supported by AT&T, which I am tied to because of a family plan. Samsung phones, even if you buy the US non-carrier variant, don't allow bootloader unlocking. AT&T provisions VoLTE and VoWifi based on a Whitelist of phone models so international variants won't work on the network at all. A microsd card slow wouldn't fix the underlying issue of bloat but would at least decrease the impact of it.
I think it's still possible to apply OTA updates but the process is not automatic. In my experience it doesn't successfully apply the update and unroot you, it just fails. This is a very unpopular thing to do, but I turned off OTA updates and I don't plan on upgrading form Android 11 anytime soon. Even security updates failed to apply automatically. Sometimes you have to reset the entire OS, including installed apps, in order to update. I think you need to reset during the rooting process as well, as oem and bootloader unlock forces a full data wipe. It makese sense from a security point of view, rooting shouldn't allow someone to gain access to information on an already encrypted device. I strongly dislike the way Android is becoming more locked down, I'd rather risk a wild security exploit compromising my device over not having root access to my own files. In my opinion, not having the ability to access your own files is the same as dealing with a virus. I wouldn't ever reccomend someone else do I am doing. But it's something to think about while considering rooting.
I use Viper4Android. I am thinking I might intentionally upgrade to an older flagship, when I do get a new phone, because there's no feature a new OS will get which will make me want to give up root and V4A.
AdAway is nice, since it is a set and forget app, I forgot I have it installed. Firefox+ublock, youtube vanced, and DNS or VPN level adblocking are usually good enough for me and don't require root.
Depends on the bank, every single financial app I use has always worked. My credit union app, Schwab mobile, TD Ameritrade, Think or Swim, Paypal (I have a CC from them), Robin hood, Coinbase, Venmo, CashApp, and Ally Bank all worked. I haven't used some of them in a couple of months but they all definitely worked as Nov 2022. Using the website instead is also an option. But I have read of issues related to it online, but I am not sure how they rooted and the method makes a difference.
I haven't had any issues using this device for 2 factor either, Google "sign in using device" is fine with it and so is Duo.
Would like to know this as well, I rooted my oneplus recently, and the moment the secure boot chain of trust broke, no security sensitive apps worked.
I've signed my own secure boot loader on Linux, but I don't know if you can do it on Android at all, since you don't have keys or can modify the secure storage easily.
Do you know if OnePlus uses the same A/B style OTA updates as Pixel devices and whether it supports setting a custom bootloader key?
If so, you might be able to use my avbroot project [1]. It roots the boot image, signs it with your own key, and replaces the OTA verification certificate with your own, so you can install future updates signed by your key while the bootloader is locked.
EDIT: I read a bit about OnePlus devices. Looks like they do indeed support locking the bootloader with a custom signing key installed. So I went ahead and added support for OnePlus' OTAs in avbroot: https://github.com/chenxiaolong/avbroot/pull/32. There are only minor differences compared to Pixel's OTA images.
> I've signed my own secure boot loader on Linux, but I don't know if you can do it on Android at all, since you don't have keys or can modify the secure storage easily.
Even if you could, Google's hardware attestation API is based on checking their keys against their cloud services, and that's what banking and DRM video apps will generally be testing for going forward.
true, it gets tricky when there's an online component to it, since they can just keep their key secret, if the service I'm using is also online. Would there be no way to spoof it? Like,
Client (validate)-> server, requires a valid signature which I cannot sign unless I have access to their private key
Client <-(SpoofedAuthSuccess) SpoofServer, is also impossible if the client requires data from a server to work properly going forward. The only thing you could attain, is to unlock the client locally if you reverse engineered it, but any data not stored locally, is impossible to get. So wrt. games, since you mentioned DRM, it might be possible to unlock the content if it is local, given a clever reverse engineering solution? Even if they encrypted the data on disk, at some point, they have to decrypt it in-memory locally.
But for server, where all validation and data is gated behind an 'authoritative' server, I guess it's just game over for unlocking anything yourself with a certificate. Even if you manage to magically solve it, they will just issue a new certificate, and quickly invalidate the old one I guess.
I am not sure what you mean by security sensitive app. Something like Samsung Knox will not work after you unlock the bootloader but that's because of the assumptions it needs to make in order to promise user data integrity. It's similar to apps requiring TPM for data/disk encryption. Self signing wouldn't restore that chain of trust. Those apps breaking is working as intended, none of the financial apps I use were affected. There's option for systemless root.
Also, I know companies have used the root status as a form of DRM. That's not about user security, it's about protecting DRM security, like Widevine L1 or L3 and the android Netflix app. Financial apps haven't been an issue for me, I am running bootloader unlocked and rooted using Magisk.
Just reread what you meant, yeah, I see that self-signing wouldn't neccesarilly solve the issue. As you say, it might also be that some apps use root status. After they updated our digital signing platform, a colleague who had a phone from china which wasn't even that old, stopped working, and I've had friends which had the same thing happen. They weren't rooted. So I don't know if there is some hardware component to it, like TPM that you mentioned?
It's worth saying, you cannot use banking apps here, without a valid digital signature, which proofs your identity. It's not just the financial app itself, it's the legal requirements we have here, which make the financial apps use this digital identity verification.
So if self signing cannot guarantee those assumptions that are being made, there's no way around it.
It's becoming harder to find good phones that allow bootloader unlocks and rooting while also being supported by AT&T, which I am tied to because of a family plan. Samsung phones, even if you buy the US non-carrier variant, don't allow bootloader unlocking. AT&T provisions VoLTE and VoWifi based on a Whitelist of phone models so international variants won't work on the network at all. A microsd card slow wouldn't fix the underlying issue of bloat but would at least decrease the impact of it.