People here are also missing one part of the android security model. Yes, you can overwrite the system partition arbitrarily while leaving the data partition intact with an unlocked bootloader, that’s how updates work.
However, the moment you make any changes to that system partition it won’t match the developers signature and the apps on the system will throw an absolute fit. Look into building your own lineage ROM and flashing it over an official build, it’s an entire process that requires your data partition to be unlocked (ie. phone booted and pin entered) to keep your data, even without making changes.
Realistically it isn’t insecure, if you set a passcode your data is encrypted and if someone mitm attacks your rom you will immediately notice stuff breaking all over the place.
The whole bootloader locking is purely vendors trying to force you to buy new phones every few years instead of the user backporting security patches indefinitely, not any practical security for the end user.
it won’t match the developers signature
Couldn’t an attacker just make an OS image that tells the system to disregard any signature mismatch?
No, because that’s not how the matching works. Stuff in your data partition, as well as app data, is signed with those keys and hashed to the device. All of those bits do that hash on their own, and they all have to match up. When you change the main system partition then it’s signature has to match with the one generated when you set up your phone initially in the data partition.
Basically you have to have access to the data partition to disable the checks or change the signature, which needs your pin/passcode/fingerprint, and if you have that you don’t even need the phone, you dump the data partition and unlock it in an emulated android environment and exfiltrate data from there as if it was the original phone.
I also want to reiterate: A locked bootloader does not stop anyone from dumping your phone, emulating it, and brute forcing it, completely bypassing any rate-limiting on password attempts. By the time a bootloader lock even comes into play you can consider your phone completely compromised.
If someone gains access to your device they could alter or replace the OS without your notice, called an evil maid attack.
If the bootloader is locked, they’d have to have the phone OS booted and screen unlocked, then unlock the bootloader, which wipes the device.
If this is part of your threat model and you are using lineage on a device that supports
avb_custom_keythen you can sign it yourself before flashingThis is the way to go
Practically? Basically none at all.
If someone got physical access to your phone, they could install another OS without your knowledge.
Wouldn’t that wipe your device first with locked bootloader? You’d definitely notice.
Yeah, but if left unlocked then they could replace the OS or part of it without it being very obvious.
Not a thing most people just wanting better privacy need to worry about.
If I get hold of an unlocked Graphene phone, could I just flash stuff on it which is not properly signed by GOS?
Only if you unlocked the bootloader first which would wipe the device. Graphene relocks the bootloader after install.
Got confused about unlocked and thought you referred to unlocked lockscreen. Thanks.
Malware could over write the bootloader allowing it to sit unnoticed forever.
It depends on how you use your phone and what the physical attacker aims
- if you use a custom ROM with decrypted /data partition by default and no way to encrypt it, the attacker can get access to all of your data from recovery even if you’ve set a lock (like password/PIN/pattern) in the ROM, but if your custom ROM is encrypted and protected with a lock, the attacker must know your password to decrypt /data partition in recovery
- if the attacker aims to replace a part of your phone with a sus one (like a boot partition for example), he must be a developer who knows how to build things designed for your exact phone model, otherwise your phone will get bricked
- if your phone is rooted and you give root permission to sus modules and apps, it’s possible to install malware and do shady things in it without physical access
My recommendations:
- only use trusted ROMs
- only use an encrypted ROM ( official LineageOS is encrypted if I’m not wrong) , encrypted ROMs are slightly slower than unencrypted ones, but safer
- set a lock to the ROM
- avoid giving ROOT access to untrusted modules and apps
- (if you’re paranoid) clean flash every time you update or switch ROMs, as this will replace any sus partition flashed by an attacker
- (if you’re using decrypted ROM and custom recovery) set a password to the recovery, BUT if it’s orangefox make sure to remove the password before updating the recovery, otherwise you’ll get troubles
unless someone gets physical access to your device there isn’t much to worry.
This is relatively minor. The bigger risk when running a downstream OS is that the team does not have the finances, the staff, or the broad-ecosystem visibility to support their own security research and development in any functional capacity, and there is an unavoidable delay in integrating security updates from the upstream OS.
This is a big problem. It makes running any small-team derivative OS a high-risk choice.
The last sentence doesn’t follow from everything before it. You could have said that it increases some risks, but decreases other risks. That would have been accurate.
And this is the point, right? Many people want to use alternative operating systems on their phones so that they aren’t vulnerable to Google itself. This itself is a massive reduction of a certain type of risk.
Its been a while since I used LineageOS on my OG Pixel (sailfish). I remember you have to install the custom bootloader like TWRP to flash the ROM and there was this thing with A and B partitions. Not sure if things change…
With an unlocked bootloader, whoever gets your phone can do the weird Vol Up + Power button combos to flash enter the TWRP bootloader. I couldnt recall correctly, but it is possible they can view / delete your data right within the TWRP screen. Not sure about transferring them off of your device.
OTOH, a locked bootloader wouldnt allow you to do this. There is no way to enter a flash a different ROM.
The thing with unlocked bootloader like LineageOS, especially in my case an OG Pixel, is that you can still flash the official Pixel OS in case Lineage starts to mess things up. LineageOS leaves the bootloader unlocked, so you can still flash.
I’m talking about the case where your phone is completely bricked, i.e. cannot open phone. So you can just use platform-tools to reflash. With Graphene, i guess it is more difficult in this case?
I remember you have to install the custom bootloader like TWRP to flash the ROM and there was this thing with A and B partitions. Not sure if things change…
Custom recovery on bootloader-unlockable devices is required if you want to do everything on-device. You can still flash ROMs without a custom recovery. I don’t have a custom recovery on my P9PXL, but that’s only because there isn’t one…
Workarounds on locked devices usually install a custom recovery as part of that workaround. Last night, I installed LOS on one of my kids’ old Kindle Fire tablets. Amazon makes it really difficult, there’s a whole series of scripts and commands just to get TWRP installed. But once that’s done, you can load a ROM and flash it on-device.
The way I understand it is the bootloader is built in security on the soc itself similar to tpm? In some regards phones are safer than computers in this way. If you leave your laptop out someone can tamper with the os, same with an unlocked bootloader. Safe from governments you shouldn’t use a phone if that’s your worry.
I don’t even have a lock on my phone
If you have to ask, then you aren’t important enough to actually be worrying about this kind of thing.
If you were that important, then you would already know the answer to your question.
If you were helpful, you’d answer the question
Instead you are actibg pretentious and unhelpful. Next time just don’t comment anything, downvote and leave :)
The question has already been answered. No point in me saying the same thing as others, but this question will always be asked regardless, so I pointed out the obvious thing people don’t like to accept: If you’re asking random internet strangers, then you’re not important enough to need this kind of security.
There’s pretty much no reason for the average Joe to worry about this kind of thing. If that was the case, they would already be acutely aware of the security risks imposed by unlocking the bootloader and installing a custom ROM. The biggest threat to mobile devices is physical access - but if someone has physical access to your device, all bets are off anyway.
Instead you are actibg pretentious and unhelpful.
I know it sounds rude, but there really isn’t any other way to explain this.
That’s ultimately for you to decide. No one here can tell you whether or not it’s likely that someone will gain unsupervised, physical access to your phone.
