I contacted the Google through the BBB. Made the statement that lack of ability to install and configure a Kernel level firewall, edit the HOSTS file, and remove unwanted bloat-ware reduces the security of the product. Google agreed their actions do this and said they find the lack of security acceptable. Having a firewall like Little Snitch should be acceptable to know where the phone is communicate, with whom, and how to prevent it.

Re-imaging with a rooted image is not acceptable because this also reduces the device's security by prevent OTA updates!

Gated community is broken when the end user cannot improve the security of the device above and beyond the lack polices of Google and Apple. For instant there should be no reason my device ever communicates with organizations I do not support such as Facebook or X-Twitter. X-Twitter is often used as command and control service in plain site.

It is not just out-wards communicate to monitor but in-wards too. I've used Zone Alarm in the past at an international company to help find the infected servers and computers that where serving up viruses and other malware.

*I would argue that the "Gated Community" analogy is flawed. A real world gated community still allows for the home owner to improve the security. By installing cameras, security system, and guards. Apple & Google prevent such actions.

There are indeed software firewalls on Android that use the VPN functionality to implement something like this so they don't even require root, I believe Glasswire offers one.

If I have to choose between a firewall and a VPN, I'm choosing the VPN. I should not be forced to make sacrifices like this, nor should anyone else.

It does create an interesting choice, though. For example, certain apps will enforce attestation based on the bootloader status. Even if the user wipes their device and relocks their bootloader with their own keys, this doesn't count as fully secure per the bootloader status. Only Google's keys count. Of course, it is also almost prohibitively difficult to deliver yourself OTA updates after this point. I worry that one day I will have to keep two mobile phones; one for bank apps, which has not been altered from the vendor's security defaults, and one for everything else, that I am actually allowed to modify.

At the moment, I just run GrapheneOS and don't bother with any modification. It is not worth the hassle. I've already had my bank account locked out because a Google Store-bought Pixel phone was flagged as "stolen", probably due to some attestation measure (they could not tell me why). They recommended that I purchase a new phone.

Right now, although it's possible to use Android with either root or a third party ROM, attestation breaks all sorts of little things. Today this is mostly banking apps, and anything that involves NFC, but this isn't where it's going to end.

Attestation requirements are only going to become more prevalent. I predict that in a few years basically all proprietary software for Android will require attestation.

So... you may still be able to unlock the device and make it yours, but you'll also be locked out of the ever expanding and ever-more-isolated walled garden.

If you can live off of GrapheneOS and F-Droid, that's great, but for a lot of users this won't be a real choice, because you increasingly need proprietary software for access to real things in the physical world (i.e. I needed to install a special app for event tickets recently).

I wonder what the ticket vendor would have said if you told them that you don't own a smartphone.

The problem with bootloader unlocking on modern Android devices is that they have a hypervisor that you don't get to ever unlock but that will snitch on you and make some apps, like some banking ones, refuse to work because the "integrity" of your device could not be verified. In other words, because these apps can no longer be certain they are able to hide data from you the device owner.

Magisk exists, yes, but it's a flimsy temporary solution. It only works because it's able to lie to Google that your device doesn't support hardware attestation. As soon as Google starts requiring that all devices support hardware attestation, it will stop working.

If software doesn't want to run on your hardware because it can't make sure you're not tampering with it, why is it wrong for doing so? You're not necessarily entitled to the ability to run the software right? I understand the implications this has on ones ability to create custom operating systems is troubling (eg this could destroy desktop Linux), but at the end of the day I guess it is just a choice the developer is allowed to make. It's not like they distribute the binary with no strings attached.

And there are some real strong reasons why you benefit from this sort of ability, such as preventing folks from cheating in competitive games. I can't say that all uses seem to have good reasons to use it, but that seems like more of a vote with your wallet sort of situation. Perhaps the play store should also have stricter requirements on acceptable use of attestation and ensure they are upheld.

> If software doesn't want to run on your hardware because it can't make sure you're not tampering with it, why is it wrong for doing so?

It's not the software, it's that the hardware itself, that I bought to own, still serves someone else in a way that's detrimental to my interests, and that can't be overridden because those stupid encryption keys used to sign attestation reports are burned into the silicon and only accessible to that TrustZone hypervisor that can't be unlocked.

> And there are some real strong reasons why you benefit from this sort of ability, such as preventing folks from cheating in competitive games.

Maybe playing such games on general-purpose devices is a bad idea to begin with. You know, consoles are already locked down pretty tight. But then there are PCs that have no hardware roots of trust at all yet you can play anything on them and sometimes even compete with console players. So go figure.

> If software doesn't want to run on your hardware because it can't make sure you're not tampering with it, why is it wrong for doing so?

It's an invasion of my privacy.

Because in some countries you must run some government sanctioned apps that require a "blessed" device, or you are a de facto non-citizen?

If Americans had anything like BankID or MitID which would refuse to run on their devices and they would be prevented from paying a bill, transferring money, buying tickets, or reading their mail they would go apeshit in 5 seconds.

Some apps are no longer optional in the world we are living in.

It's even worse now with the P9 series.

They require hardware certification for the Pixel Screenshots app... and for anything that uses Gemini Nano (Call recorder summary, weather, pixel screenshots, etc).

Lol, I've had my Pixel 9 Pro for a month but I forgot about that pixel screenshots app. The other features are unavailable in my country anyway, especially anything that has to do with calls.

This, or even sell "dev units" with the bootloader unlocked so that you explicitly have to accept the risk before purchasing the device.

The problem though is that rooting by itself is not that useful when a lot of apps use remote attestation to deny you service if you're rooted.

We don't just need root access, we need undetectable root access.

I agree useful rooting should be easier, but it's definitely possible and not super hard to hide rooting.

I'm typing this on a rooted phone where all (banking) apps work just fine. All it takes is downloading an app (magisk) and add apps to a list that need to have rooting hidden.

> it's definitely possible and not super hard to hide rooting.

Worth noting that this could change with every update. It's an unstable situation right now, which is undesirable.

For that reason, e.g. the GrapheneOS team isn't employing measures to fake compliance at all. They'd really like to get SafetyNet compliance for their operating system (you need that to get Google Pay/Wallet to work), but funamentally can't get it. Right now, they could just fake it, but that's not guaranteed to work reliably, forever (and doing so would probably threaten their official BasicIntegrity compliance).

This is why I'm convinced that relying on Google hardware is a dead end for freedom in the longer term. I'm using a GNU/Linux phone instead.

Magisk only works because Google still supports devices that don't support hardware attestation. Very soon you won't be able to fool Play Integrity without hacking the TEE

Well that's going to really really suck.

> We don't just need root access, we need undetectable root access.

At some point the argument morphs from 'I should be able to do whatever I want with my device' to 'I should be able to access your service/device with whatever I want'.

The fact that Google allows this shows that

1. Apple could do it with zero security impact on anyone who doesn't opt in

2. They could keep any service-based profit source intact

But they still would never do it. Because it's not only service based profit they want to protect. They want to restrict customers from running competitor's software on their hardware, to ensure they get their cut.

> At some point the argument morphs from 'I should be able to do whatever I want with my device' to 'I should be able to access your service/device with whatever I want'.

I'm not demanding to be able to log in to your service/device and replace IIS with Apache on it. I'm just demanding to be able to access it as a normal user with Firefox instead of Chrome.

I'm not saying you shouldn't be able to access from unlocked devices. I'm just saying it's a different argument.

Agreed, that's a good solution. I can root my phone immediately when I buy it, or I can leave it locked if that's my choice. That's the best of both worlds.

I would argue that the best of both worlds is being able to add your own keys and then relock the bootloader. Which Pixel devices also do:) Not sure about Chromebooks; I kinda think you maybe could reflash the firmware and then put back the write-protect screw?