I need a Pixel 3 for advancing my mobile security research. I don't have access to a current generation mobile device with a Snapdragon 845, the Linux 4.9 LTS with CFI and a StrongBox keymaster implementation.
Bitcoin address for contributing: 34J5mcUveTUr99ZNB2SnFxCPFjXQCAxyuB.
Conversation
Replying to
A user build of AOSP using github.com/anestisb/andro that's signed with properly secured release keys.
It needs to be a phone with full security updates available and support for using hardware security features with another OS. Can't do much if the hardware has garbage security.
1
2
Replying to
I strongly suggest using either an iPhone or a Pixel with the stock OS. There is no alternative OS with decent security and binary releases available to install. You would need to build AOSP for a device like a Pixel where it can be done securely or find someone to do it for you.
2
3
This Tweet was deleted by the Tweet author. Learn more
No, I'm explicitly stating that it doesn't. The LineageOS security patch level is explicitly dishonest. They set it to the latest value across devices even when shipping only shipping a fraction of the security fixes required by the latest patch level. AOSP patches aren't enough.
1
This Tweet was deleted by the Tweet author. Learn more
Non-Pixel devices also don't have comparable security at a firmware and hardware level. It can't be addressed with another OS. Also, only Pixels (and the Nexus 5X / 6P before them) support all the hardware security features like verified boot with alternate operating systems.
1
This Tweet was deleted by the Tweet author. Learn more
You should be avoiding Android as a whole if you think they deliberately put in backdoors, because backdoors can be hidden in open source code as bugs. The same applies to other software where Google plays a substantial role including the Linux kernel and many other projects.
1
Replying to
It's infeasible to review massive open source projects line by line and subtle bugs are usually missed by that kind of analysis. It will probably find some bugs, but not all, or most. A hidden, subtle backdoor that was planted as a bug could be ridiculously hard to find.
Replying to
The backdoors that are discovered in software like routers, phones, etc. from sketchy vendors are usually sketchy debugging code that ended up shipped in production due to lazy programmers, rather than something with malicious intent with any attempt to hide it.