I agree with you but the whole thing makes me uncomfortable. We're definitely making it easier for these security conscious companies to do vendor lock in if we encourage passkey use.
Hey Omar! I met you briefly in Grenoble many years ago. I hope you're doing well.
I only recently watched this series and found it very entertaining. But I never expected it to be very accurate. It's definitely been dramatized for TV. I definitely didn't get an anti-nuclear sentiment from the show, I mostly think they were trying to portray a negative view of Soviet Bureaucracy.
I agree with you idealistically, but practically, creating an entirely new mobile OS with market share competitive with the existing two is an unbelievably massive challenge. It'd probably be just about as easy to get people to care about sideloading in the first place.
Remember how Android used to be an open source project and how we had Google backing AOSP? I think it's time we we maintain the latest fork and just use that instead.
That only solves the OS side of things, but doesn't give you a good ecosystem. Unfortunately and increasingly bigger number of apps rely on Google services and attestations, meaning you need a Google approved software to run them.
I wonder if it'll promote having multiple devices, fragmenting into multiple ecosystems. One for the approved walled garden, another for uses that can exist without relying on those services (anything that doesn't need payments?).
Another approach I wonder about is single task specific hardware, like a GPS unit or media player, what tasks have developed over the past ~18 years within the mobile ecosystem and are mature and not rapidly evolving enough that they can be unbundled to their own devices, and desirable enough to stand alone that there's a market for it.
that's highly inconvenient, most people won't bother with that.
The ~1% though will certainly do that, with black market apps and jailbroken OS will rise.
That's not the problem. It's the bootloader locked hardware and the TPM anti-"tampering" security verification that more and more apps require.
It's not just the OS makers. They're also responding to the demand of companies and governments to control their users through them. They will not say "no".
> It's not just the OS makers. They're also responding to the demand of companies and governments to control their users through them. They will not say "no".
I don't believe that entirely. For example, how much safer is a banking app protected by play protect, running on an OEM ROM with tonnes of OEM/Google/Meta malware, compared to the same running on Graphene, Lineage or Calyx? I think it's the other way around. Google or their associates convince either the banking firms, or more likely the security audit companies that the play protect (safetynet or whichever latest flavor) is an absolute necessity for security on android. In the latter case, those security firms will give the developers a checklist to follow, which will include an item on enabling that API. It's unlikely that so many banks will choose them on their own accord like that, even if a bunch of them insist on Google providing it. I have even seen banks disabling the API in their apps through updates. And they also don't have any problems with their web applications that don't have anything similar to remote attestation. Besides if you look closely, it's in Google's interest, not the bank's interest to enable these APIs. Such apps will only run on the OEM ROMs, making the open source and custom ROMs somewhat untenable.
I'm not sure banking firms need any convincing that attestation makes their systems more secure, as it is true. If the only way to interact with the app is via a human interface, that means you can't have scalable fraudulent traffic hitting your services. Without attestation, someone could MITM the app calls, and then automate it away.
Or when you do, you can then link it to specific group of people based on the identifiers you received from the attestation.
Is AOSP no longer a thing? I've been using GrapheneOS for a few years and admittedly lost track of AOSP, I just assumed it was still a thing despite Google generally wanting to control more and more.
Google now only drop through source code after a release, not during development. Also, much AOSP functionality has been moved to Googles Play Services which is closed source.
We used to have strong consumer protection advocates on both sides of the Atlantic, and those consumer protection advocates used to influence laws and regulation which forced corporations to stop doing anti-consumer stuff like this. Those days can return with enough organized labor and solidarity among the working classes.
Yea, but you will need to organize offline because chat control will catch your terrorist messages and report you to the police. And make sure to leave the phone at home so they cant see all the phones meeting in one spot. But how do you go to the location then? Public transport uses the phone for payment, your car uses the phone as authentication / key.
Its a very slippery slope that is very close to being implemented. In a way, we can hope that the current political climate somehow decimates the American corporations that control the systems, but it looks more like IBM during WW2 supplying counting machines to the Americans and to the Germans and everyone else.
The phone platform is officially lost at this point, there is too much political pressure to control it. We are going to increasingly need to rely on sneaker nets, small mesh networks, and home made "illegal" communication devices. The internet will continue to exist, but it is going to fracture more and more with the political wars that are happening at the moment.
I had to do some light research on Wiki, but it looks like Firefox OS was supposed to fill part of this void. Sadly, it was not successful, and the project lost funding and support from Mozilla. I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.
> I think if Mozilla could not do it, it seems hard to imagine there is an open source org with more talent and money than Mozilla who can make it work.
I don’t believe that at all. Mozilla has been on a string of awful decisions for a long while. They start dumb projects no one asked for or wants all the time and abandon everything swiftly, even the good ones. Look at Rust and Servo.
Firefox OS barely lasted two years between release and discontinuation. It never even stood a chance for most people to even have heard of it or tried it, let alone be successful.
I'm not downvoting you. But the limiting factor probably wasn't the funding at all. It was the competence and marketing. At some level, they had to deal with the hardware stack - which IMO is a very hot mess right now. The only reason why it works for Android is because the OEMs are also in on the game - just like how it was (is?) for the Windows machines.
Sailfish tried and failed. Various Linux distro also tried and failed even harder. Consumers at large just aren't interested in anything other than iOS and Android.
The problem is - linux (outside on server land and maybe SteamOS) is everything but (regular) user friendly.
When people buy a new phone the expect a smooth experience without any major inconveniences and uniform UI. And apps. Lots of apps. Full of features and mature UI. Linux mostly have none of it.
The Linux experience on a decently powerful mobile device (i.e. not those open-source phones that perform like a 2010 smartphone) is perfectly fine. I find the Plasma experience to be a little lacking, but the Ubuntu experience is good when you find a phone UBPorts works on. Phosh (GNOME) works better on mobile than it does on desktop for a lot of things (multitouch touchpads come close to mobile in terms of smoothness).
Consumers didn't pick up Windows Phone or HarmonyOS enough to matter either. Access to the two common app stores is crucial for user adoption even when the UI is good.
Users need a new feature or a new power to justify transition. Learning of new OS is not free. Someone should reuse Android UI, but upgrade the OS to full Linux.
Mimicking the Android UI and UX is very trivial. The hard part is getting the OS to run on the mobile device in the first place. On top a tonne of custom drivers, it also requires way to either get accepted by the OEM locks or a way to bypass it entirely. This is getting harder by the day even with Android custom ROMs.
Valve has managed something similar with SteamOS as well as Proton built on Wine to make Windows games run on Linux, performing as good as or often better than an actual (modern) Windows install.
It's the mobile hardware drivers (such as for the modems and 5g etc) that likely roadblocks - these hardware manufacturers probably have some sort of OEM agreements, and so cannot opensource these drivers for all devices.
I would wish that mobile devices' specs and hardware drivers are all available, so that i am not dependent on the manufacturer supplying a compatible OS.
That will only work as long as Microsoft feels like ignoring it, and they are already starting with something similar to how netbooks were killed in the end.
Valve will learn the OS/2 lesson, by not fostering a proper native Linux ecosystem.
They are doing that with their own games and tooling, look at CS2. But Valve can’t force all other developers and publishers to do the same, they can only show the way, which they do.
There's already open source OSes that run on phones that aren't based on Android.
Off the top of my head there's a Debian based one, a Fedora based one, webOS, PostmarketOS, probably others. Wouldn't be that difficult but yeah, the cost of entry is still probably tens of millions.
Sadly that's not always (or won't be soon) an option. I recently had to buy a new phone so that I could run the 'updated' banking app that requires attestation to run — I was running google free Lineage.
Without attestation, banking apps stop working and without a banking app, you are locked out of modern life in many ways.
This latest Google move makes it impossible to run an attested Android without the sideloading limitation. That means that you'll have to choose between GrapheneOS and using your banking app.
I'm sad to say that I've already had to make that choice :-(. I feel that I was coerced into it.
I'm in the same boat as OP. Used GrapheneOS until Google Pay was enabled in my country. ALL banks then killed their proprietary NFC wallet apps in a month and told users to use Google Pay. I switched to using a Garmin watch for a while.
Then bank apps themselves started giving me warnings that my device was insecure (the irony) and I got increasingly frequent KYC questionnaires coming my way. One of the banks also disabled access to some money transfer services, which I suspect is because of some flag on my account in their system.
I had to ditch GrapheneOS at that point. There are simply no banks that I can switch to.
Exact same thing happened in my country. All the banking apps moved to Google Pay/wallet and there's now only one bank left that supports the AOSP android pay feature. Also using a garmin watch now.
This is also no long term solution. GrapheneOS can't diverge from Google android to much, otherwise modern apps stop working. And Google will definitely go for alternative roms next.
I could've sworn GrapheneOS or LineageOS people were in talks with manufacturers to deliver devices that run one of those OSes out of the box. I wonder if there were any updates on that front
I use GrapheneOS, but it doesn't solve this class of problem. If your {banking|taxi|cash} app doesn't pass Play Integrity API running under GrapheneOS, you are out of luck for those apps. There are different levels of Play Integrity pass, and GrapheneOS does not pass the highest level of them, so some apps may work, and others not. I don't want to use Google Pay, but I couldn't if I wanted to on GrapheneOS, and I've seen people in this thread saying that where they live it can be difficult to pay for something any other way.
https://marginalia-search.com/site/nhobb.com?view=info
And link to sites you like!
reply