As an author of an old root for Android, and of a modern generic custom ROMs, and other Android OS stuff:<p>The title is, and forever will be wrong. When we say you're root in Android, you're actually root. You can actually do whatever you want [1]. Magisk (the now modern "root" for Android) now includes stuff to even "edit" Java code, so even if it's hidden deep somewhere, you should still be able to access it. (Even if somehow it moves from Java to native code, we'll still find ways, don't worry)<p>The fact that the author didn't manage to do it doesn't mean it's not possible. I could guess what's the author issue (I have two ideas in mind: 1. it requires stop;start to restart zygote, because zygote cached CAs, 2. it needs to switch to correct mount namespace before doing the commands), but I won't try it, I got tired of working on closed-source Android stuff.<p>> More investigation is required and it's hard to know the full implications of that now, but for the many forks of Android like GrapheneOS & LineageOS, and for advanced device configuration tools like Magisk and its many modules, it probably spells trouble.<p>I just don't understand this. GrapheneOS and LineageOS team have full source-code access. They can do whatever they please with it. (The limitation being that Google breaks stuff at an incredible rate, and following is a bit annoying)<p>Anyway, I hope that Android becoming more and more user-hostile (and more specifically in this case power-user-hostile) will move more and more people to custom ROMs. (In my dreams I make a "OwnerDroid", an Android fork where the security model doesn't have the first line saying "the user is an enemy", but even though I developed some tiny bricks of it, the overall project would take a huge amount of work)<p>[1] Except for some kernel-level protections, but GKI reduces that risk.
So many good comments here, but I keep thinking about how thankful I am that PCs don't work like smartphones, and it's sad it's regressed to this point.<p>Android has so thoroughly defeated itself, that I feel crazy to say I'm thankful that microsoft doesn't run the PC world like google runs the smartphone world.<p>Windows itself is a bastion of stability and sanity compared to android. Things do not need to be upgraded prior to the hardware actually breaking of old age.<p>Beyond that, just like google, microsoft doesnt control the entire hardware-software pipeline. But just like google, microsoft is in a place of power where they could have made it incredibly inconvenient to own your PC, by dictating norms through a store, or discouraging any deviation of environment by safetynet.<p>My memory is bad here, but did this sort of thing ever end in antitrust lawsuits for microsoft in the past? And, when can we look forward to the same for google?
I'm daily driving a Pinephone Pro. Interesting note out there: Chase.com tries really, really, really hard to block you from using non-standard browsers (like Librewolf) as well as phone/tablet browsers (it will try to force you to use the mobile application.)<p>At least until WEI becomes mandatory, this isn't really a serious problem, since these braindead measures are all easily bypassed. However, I am interested if there is any potential legal avenue to pursue given that Chase is a bank. My first guess would be ADA compliance, but I'm not sure. At this point, I'm so fed up that I am not sure if it is an empty threat anymore to say that I'm interested in filing lawsuits over this.<p>(I realize this is a tangent, but it's relevant because it underscores yet another facet of how leaving the oligopoly of mobile phone operating systems is damn near impossible. Android will just keep getting worse, probably even if the Linux phone niche miraculously grows to a couple percentage points; we need <i>something</i>.)
I think android is - and has been - more heavy-handed than Apple here. Even when you could install and trust a new root CA, some apps can and would ignore this. Apps can use certificate pinning on both iOS and Android, but apps by default on Android just ignore user-added CAs by default on Android 7+, since 2016[1].<p>On iOS, the process of trusting a root CA is (rightfully) tricky, requiring you to install a profile and jump through some hoops with some scary warnings, but in my experience most apps will trust it unless they're using pinning.<p>[1]: <a href="https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html" rel="nofollow noreferrer">https://android-developers.googleblog.com/2016/07/changes-to...</a>
Isn't this just how mounts work? If you have a something mounted to /apex/whatever and each app has a separate mount namespace, then mounting over /apex/whatever in your namespace wouldn't change anything in any other mount namespace. You'd need to either just alter the filesystem directly, or enter the other apps' mount namespaces and mount your tmpfs there too.<p>Shared mounts might be useful here. Not sure. I'd need to take a closer look at what is going on here.<p>But I would say this result is probably a byproduct of whatever namespacing/containerisation Google is doing, rather than an intentional effort to prevent users from changing the root CAs even as root.
Left a reply to the author on Twitter, but putting it here as well in case they didn't see it.<p>Hi! I'm the guy who wrote the blog post about updatable certs in Android 14 that your article linked. Not sure if you're aware, but there's actually a system property you can set to bypass reading from the APEX cert directory.<p>system.certs.enabled=true<p>From: <a href="https://android-review.googlesource.com/c/platform/frameworks/base/+/2423168" rel="nofollow noreferrer">https://android-review.googlesource.com/c/platform/framework...</a>
This sounds nice for security, hell for some developers but:<p>What happens in 2-3 years when this version of Android is abandoned? You pray the hardcoded certificates will last you a couple more years?
Every android release I see things removed, and inconsequential things added.
It seems like iOS has been doing the opposite, such that slowly they may meet in the middle, and then iOS exceed android in every way.<p>Apple folk, can I get an honest opinion here: I've been using macOS lately and I hate it because it fails at really basic user experience things that've been common on windows/linux for decades. Like finder, it's just the worst.<p>If I were to get an iphone next generation instead of an android, would I have the same negative reaction to iOS? Would you say that iOS is a more complete, useful UX than macOS, for the smartphone use case?
I think I want to make the jump, but I also don't want to waste my time/money.
I have a private PKI I use to connect to my self-hosted software: email server, calendar provider, notes server, photo sync tool, etc.<p>I NEED to be able to add my root cert to the list of certified authorities.<p>I don't need to change anything to the system provided list. I just need to add mine.
It's my device, I'd like to be able to change anything if I want to.
HTTP Toolkit was very helpful for me to extract hidden APIs from crappy EV charging apps in Turkey, combined with Frida to prevent SSL pinning and root detection.<p>Then I realized, the reason they try to hide is maybe those APIs are abomination /s
I'm not sure of the implications here, so, two questions:<p>(1) What effect does this have on user-installed credentials, such as a certificate for OpenVPN? I used to be able to install those myself, with a few taps. They did produce the ominous message about someone monitoring my network activity, of course.<p>(2) Will users still be able to disable CAs in preferences? I routinely go through the list of CAs and disable anything I don't trust, mainly based on country of origin, so China, Russia, Turkey get shut off, et. al. Will this functionality still be available in Android 14?
I mean, you still have root and APEX packages aren't doing anything tricky specifically to stymie modifications - they're just mounted file systems. You're still going to be able to modify system certificates, it's just going to be less convenient and need something more than dropping a single file to a folder. Hell, the code is even still falling back to the old file system path if the APEX mount doesn't exist, so you could just delete the entire module and go back to the old method.
How green and sustainable this approach from Google exactly is when it makes forks like LineageOS harder to maintain?<p>LineageOS is only way how to keep many devices up to date by security patches. Ability to have newer version of Android is just a bonus... or... uh wait.
It's a very good news for security and also for 99.99% of the Android users. But get me wrong, it would be nice to support power user, they just need to add a feature to easily add a chosen CA and it would be perfect.<p>Currently CA management was very dangerous because it was not updated (as stated in the article).<p>New CA were not added so if you kept your phone long enough you would see insecure warning popping up. People would take the habits of accepting without thinking: very problematic behaviour. One solution is to used Firefox which doesn't use the system CA unlike Chrome.<p>Another more problematic one: untrusted CA were not removed (the author give the example of TrustCor but they were other examples in the past like DigiNotar). Who knows what happens to private key of old untrusted CA ? If they end up in the wrong hands people could get MITM. (Personally, I had to remove DigiNotar for my old phone.)<p>And of course as the author said: it's also problematic for new certificate authority like Let's Encrypt which at a time needed the complex cross sign certificate to ensure the certificates work for everyone. [1][2]<p>[1] <a href="https://letsencrypt.org/2020/11/06/own-two-feet.html" rel="nofollow noreferrer">https://letsencrypt.org/2020/11/06/own-two-feet.html</a>
[2] <a href="https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html" rel="nofollow noreferrer">https://letsencrypt.org/2020/09/17/new-root-and-intermediate...</a>
People here just love their locked bootloaders for some reason. But once you free yourself of this silliness, and root all your devices after unboxing, you'll be good for yet a few more years.<p>Of course it'll only keep being this easy temporarily. Here's a scene from 2026 for your imaginative pleasure:<p>Door: You need to scan your COVID25 vaccine QR code to open this door.<p>QR App: This app will only run on a HW attested device<p>------<p>Shopkeeper: We only accept WhatsApp pay at this store.<p>Payment App: This app will only run on a HW attested device<p>------<p>Your friend: We can only talk on this one messaging app that everybody uses.<p>Messaging app: This app will only run on a HW attested device. Oh, but we promise that this encrypted blob of executable code that you can't disable is here just to ensure the <i>safety</i> of your E2E encryption.<p>------<p>Your custom ROM rooted Android 18 phone: Running a secure messaging app that was banned from the Play Store and has only like 2 other active users in the world.<p>The police: Papers please. <i>Phone touches the scanner</i>. <i>Scanner beeps and turns red</i>.<p>The law: You have violated the Digital Safety Act. Daily driving a non-licensed general purpose computer is illegal as this may endanger "our children".<p>The law: You have violated the Public Health and Safety Act. Daily driving a non-licensed general purpose computer is illegal as this may be used to circumvent your quarantine and vaccination control status checks.<p>------<p>I can go on and on. I think you get the gist of it. Once we have HW attestation fully figured out, these laws will come. Cash will go away. Your agency will go away. Etc.<p>...
And the punchline of the ghost story?
The guys coding this stuff up? They're here with us reading this thread. Commenting about the virtues of locked bootloaders for your security.
Isn’t it well known in the Android modding community how to replace and make custom APEXs? E.g. XDA has some good documentation. That seems like the right way to solve this problem.<p>[1] <a href="https://www.xda-developers.com/android-q-apex-biggest-thing-since-project-treble/" rel="nofollow noreferrer">https://www.xda-developers.com/android-q-apex-biggest-thing-...</a>
[2] <a href="https://www.xda-developers.com/android-10-custom-boot-animations/" rel="nofollow noreferrer">https://www.xda-developers.com/android-10-custom-boot-animat...</a>
Where are the diffs of Android 13 against 14. Isn't this an "open source" project.<p>If Google actively prevents "rollback" to a previous version, then how does a computer owner try out the new version. Once installed, there is no going back. Even if the owner discovers the new version is unsuitable. It's Amazon with no returns. A new car without a test drive.<p>Reading source changes might be an easier way to review the new version than running it in an emulator and trying to figure out what changed. Is it not possible.
And recently there were discussions about browsers disallowing self-signed certs, even for local host, and going https-only, and the supposed excuse is you can edit your local root store.<p>Well now what?
There are much more reliable ways to intercept traffic than messing with the root certificates. I believe corellium has a more solid strategy where they modify the TLS library to accept certs signed from their proxy and then the certificate from the origin server is passed through as an extension on the proxy certificate.
I mean if they were willing to mess with something that was completely unbroken like the quick access tiles for WiFi/data back in Android 11 (or was it 12?) I wouldn't put it past them to mess with anything else.
Android isn't really open. In order to have a "certified" device you need to remove user control. For example users by default aren't even allowed to access app's "private" data. That was enough to get me to move to something where I am in control.<p>But if you move away from a "certified" ROM then you start to fail SafetyNet (or its successors) and many apps will refuse to work. Those apps want to make sure that the user isn't in control of their devices, they want to make sure Google or a "trusted party" is.<p>They say this is to ensure the security of your device that logs into your bank or whatever, but I guarantee that my LineageOS updated this week is more secure than my stock Google ROM that got its last update 3 years ago. If Google really wanted to prove security with SafetyNet they would stop attesting devices that haven't been updated. But it isn't about device security, it is about ensuring that the device is controlled by a big corporation, not the user.
Obviously governments can't have an operating system where users can do as they please, e.g. bypassing government mandated MITM certificates so they can spy on citizens.<p>So the groundwork is being prepared for coming things like Online Safety Bill here in the UK, where all communication will likely be under surveillance and so you won't be able to mod your phone to "opt out".<p>It's a shame that such resourceful company like Google bends over to some control-freak right wing governments like we have.