I need a Pixel 3 for advancing my mobile security research. I don't have access to a current generation mobile device with a Snapdragon 845, the Linux 4.9 LTS with CFI and a StrongBox keymaster implementation.
Bitcoin address for contributing: 34J5mcUveTUr99ZNB2SnFxCPFjXQCAxyuB.
Conversation
Replying to
A user build of AOSP using github.com/anestisb/andro that's signed with properly secured release keys.
It needs to be a phone with full security updates available and support for using hardware security features with another OS. Can't do much if the hardware has garbage security.
1
2
Replying to
I strongly suggest using either an iPhone or a Pixel with the stock OS. There is no alternative OS with decent security and binary releases available to install. You would need to build AOSP for a device like a Pixel where it can be done securely or find someone to do it for you.
2
3
I was the one that created and maintained it, almost entirely on my own. It offered substantially more privacy and security than the stock OS. It couldn't offer a longer support period since it relied on the same security updates. It's no longer the same thing that it was before.
2
2
Finally you admitted that there are ROMs better than stock ROMs :)
Do not be upset with me for thinking differently and wanting to do differently.
2
No, you're missing the point and claiming I said things that I didn't. A device without full security updates available is a security disaster. I obviously never worked on adding hardening for devices that were end-of-life without security updates because it would be ridiculous.
1
As I said before, the security of a production build of AOSP is comparable to the stock OS on a Pixel. However, using AOSP isn't a solution for devices without security updates available for drivers and firmware. Keeping up with AOSP security updates covers only half the updates.
1
I work on implementing privacy and security features for operating systems and applications. Those features aren't a substitute for having full security updates. Adding substantial hardening to AOSP is quite pointless if you're missing much more basic security hygiene regardless.