Conversation

I need a Pixel 3 for advancing my mobile security research. I don't have access to a current generation mobile device with a Snapdragon 845, the Linux 4.9 LTS with CFI and a StrongBox keymaster implementation. Bitcoin address for contributing: 34J5mcUveTUr99ZNB2SnFxCPFjXQCAxyuB.

Replying to

Hi ,do you know some unofficial rom that is secure?

Replying to

A user build of AOSP using github.com/anestisb/andro that's signed with properly secured release keys. It needs to be a phone with full security updates available and support for using hardware security features with another OS. Can't do much if the hardware has garbage security.

github.com

GitHub - anestisb/android-prepare-vendor: Set of scripts to automate AOSP compatible vendor blobs...

Set of scripts to automate AOSP compatible vendor blobs generation from factory images - GitHub - anestisb/android-prepare-vendor: Set of scripts to automate AOSP compatible vendor blobs generation...

Replying to

I strongly suggest using either an iPhone or a Pixel with the stock OS. There is no alternative OS with decent security and binary releases available to install. You would need to build AOSP for a device like a Pixel where it can be done securely or find someone to do it for you.

Replying to

What you think about

Replying to

and

I was the one that created and maintained it, almost entirely on my own. It offered substantially more privacy and security than the stock OS. It couldn't offer a longer support period since it relied on the same security updates. It's no longer the same thing that it was before.

Replying to

and

Finally you admitted that there are ROMs better than stock ROMs :) Do not be upset with me for thinking differently and wanting to do differently.

Replying to

and

No, you're missing the point and claiming I said things that I didn't. A device without full security updates available is a security disaster. I obviously never worked on adding hardening for devices that were end-of-life without security updates because it would be ridiculous.

Replying to

and

As I said before, the security of a production build of AOSP is comparable to the stock OS on a Pixel. However, using AOSP isn't a solution for devices without security updates available for drivers and firmware. Keeping up with AOSP security updates covers only half the updates.

8:46 PM · Nov 1, 2018Twitter Web Client

Replying to

and

I work on implementing privacy and security features for operating systems and applications. Those features aren't a substitute for having full security updates. Adding substantial hardening to AOSP is quite pointless if you're missing much more basic security hygiene regardless.