Those Anøm phones didn't even pretend to be at all secure.
Pixel 3a with an Android 9 fork still on the March 2019 security patch. Shipped signed with the publicly available AOSP test keys used as a placeholder before signing actual releases. All of that visible in Settings app.
Conversation
AOSP test keys have publicly available private keys. It's a placeholder used when building. It's for development use with signing as a separate, optional step.
Several tests fail if you have anything signed with them. Also shows "test-keys" in OS version shown by Settings app.
Replying to
Those keys are literally just these:
android.googlesource.com/platform/build
Replacing these in the source tree is considered as using development keys and brands it as dev-keys.
Signing a release for real is a separate step done after building and brands it as release-keys which is hidden.
1
16
Military grade cryptography must require signing your releases with open source private keys. It's such a good idea that even the FBI is doing it.
Seriously though, the whole point of those keys is that they're a reproducible, known bad placeholder replaced with real signatures.
1
1
19