Yea, SMS and phone apps are quite numerous. I don't think it's a problem, the subsystems all the apps use is open enough and not hard to build against.
Except for RCS, that's completely locked down and is pretty solidly becoming literally just Google. Fuck RCS.
Not just Google is the problem, the entire industry is the problem. Almost all of the cell-based standards are locked away and purely depend on the operators, major infrastructure companies like Motorola, Ericsson and Huawei and modem implementors like Qualcomm, Apple or Broadcom.
Implementing them independently is extremely difficult and even if you manage to do it you cannot have them commercially available due to radio regulation and patents. Even academic research can only be done with collaboration of those huge companies.
It is impossible to make a phone that is LTE capable completely independently (or even without nation state support). You cannot implement VoLTE or RCS without support from the carriers. They all have their own proprietary protocol on top of the standards.
Google has basically infinite money and their own patents and industry relationships and government support so they can figure out RCS. An indie company, even with infinitely motivated engineers and good funding do not have any of it.
Got to say, I like the current Android versions.
In the early days I flashed my Motorola Defy every second month with some cool new ROM.
Always rooted and Xposed, always enabling something new.
Now I run a S23 Ultra and after two years it still does everything I need.
OneUI 8.0 and Android 16.
For work (app de) I also have a Pixel 7a, always with the newest Android Beta.
Also works well.
Even the entry level phones work OK to pretty good now.
My Samsung A16 5G (also for work) functions surprisingly well for 150€.
> Now I run a S23 Ultra and after two years it still does everything I need.
Maybe, but it is fully under Google and Samsung's control, and is choke full of spyware. You couldn't pay me to use a stock (Googled) Android phone for this reason alone.
How well is rooting supported on these newer Android versions/devices? If I install LineageOS on my device, for example, I can be reasonably sure that Magisk will work fine. But how well does it work on a stock, locked-down ROM?
Most devices doesn't have unlockable bootloaders now thus you can't even root them unless it was a popular device and a temporary /finicky hack was found.
Back when I used Android phones, tweaking was pretty important to me too. I still remember when I installed CyanogenMod on a Motorola XT1565, those were the days... Eventually, LineageOS, and then some new phones happened, not all of which were rootable, though I eventually ended up with a OnePlus 7 Pro which was pretty tweakable and even opened the possibility of bootloader re-locking, until a TWRP bug wiped my device and I pretty much stopped tweaking. Was never quite able to get EdXposed working right again...
I am asking out of curiosity and nothing else: what use cases do you have that motivate you to get a new phone every year? Do iPhones get notably better with every release? I'm guessing camera or storage would be big ones?
I'm not parent but a counter perspective - the only three motivations I have are:
phone dies
camera vastly improves (imo it's been on a decline since the Nexus 6)
phone is too slow to use
I'm on year 5 of my Samsung s21u that I can replace the Samsung ux slop with asop ports
Well, with this last one they finally made the telephoto 48MP. Also, vapor chamber is nice. I don't know if the 18 will have enough for me to upgrade, and it might even have a reason for me not to upgrade (removing gestures from Camera Control). But so far it's been every year, because I've only been using iPhone for a couple years, and my first was a refurbished 15 Pro Max.
The 17 Pro (non-Max) only comes with up to 1TB of storage, but that's still more than my 15 of before.
It is not for anyone but Apple, because they control the source code and full remote code execution access to your device at a higher privilege level than you as the supposed owner have.
So you believe dictatorships are a good idea when it comes to technology control.
My question is then the same of anyone who prefer to give up freedoms to centralized seemingly benevolent dictators: What happens when you are told you can no longer do something you were previously allowed to do, that is only in the interest of the centralized power?
Including custom ROM devs like the GrapheneOS team or the LineageOS team? That's a lot of trust you're putting in a company that only has their own profit at heart.
After Trump's re-election, I figured that there's not much difference between using a cheap Android from Chinese OEM, or an iPhone. Both will give away my information if the totalitarian government (Chinese or American) requests so. I don't really have particular preference on whether it's the Chinese or Americans spying on me, so in the end it all boils down to price. Chinese Android devices deliver same level of performance and features as Apple for 1/4 of the price.
Of course if I really cared about privacy, I would just install GrapheneOS or LineageOS on supported Android device, so no Apple in that case either.
This is them trying to strangle Graphene and LineageOs. We desperately need an ecosystem where manufacturers are legally compelled to publish the source code for their drivers and similar so as to make it easier for alternative Oses to exist.
Android will soon become fully closed source. The writing is on the wall.
Plenty of drivers are proprietary. There are many ways of doing so, like much of it can exist in userspace, or in firmware, or using a shim in the kernel.
I think believing any for-profit business would have any morality is the problem. Especially thanks to the post-80s business conjuncture upheld by the relatively democratic governments. It is all about diminishing responsibilities while increasing profits.
Na, it’s the people. Money attracts people who want money. It’s very hard to argue consistently for quality and ethics against these guys without something slipping through, and once that happens it’s impossible to argue to the business that they should forego a revenue source for ethics reasons. They only have to be convincing once, good engineers have to be convincing every time.
Not sure why people downvoted but this is sort of true
Microsoft was absolutely dominating and buying up everything (similar to today's tech giants) and they were literally the most mega corporation ever
Until they got hit by the monopoly lawsuit. That alone scared microsoft so much that it backed off
After the backing off is when Companies like google, heck Apple was directly invested to be saved by microsoft just so that they dont get threatened by the govt as monopoly and amazon.
In a way people mention so why couldn't Microsoft create their own engine but its also the fact that blink/chromium is based on fork of webkit which itself is a fork of KHTML from the kde team but webkit added many features (from what I could tell) and is a really complex software in it of itself
This was created by apple and apple as we know it would not have been able to exist without Microsoft backing off them
My point here is that in previous times, Microsoft was a large curtain blocking any innovation if they wanted but after it was feared by even a threat like monopoly, they took it very seriously and thus we have the cultural innovation in many ways that we have
Now the monopoly question was a genuine question still launched by the government.
Today the landscape is different, Google and these large tech companies would buy things and the meta strategy has become to sell, its a very cynical point of things which really just ends up screwing the customers in the end.
The government doesn't care, it might slap some 1% fine and there is a quote that if crime's punishment becomes only fines, then crime becomes legal and the fines compared to company are so small and they got legal structure so high that they strech it for as much as possible
Overall, the govt.'s being really lobbied by these tech giants and they stiffle tech innovation in the end
In the end all of them are the same, they all kind of want to be a microsoft pre monopoly era.
Govt's lack of understanding of the matters around the world is the reason why tech feels so intrusive. This has real consequences to you and me, now I don't trust the govt will be able to improve if its gets lobbied or corrupted and that's a seperate matter and might take new laws all around the world to prevent such corruption / lobbying but right now, the other best thing is to showcase support by being the minor fraction of the population who supports/donates to open source / msme businesses
I doubt Microsoft gives a minute's thought to government monopoly concerns. One of their "punishments" after the monopoly lawsuit was to give schools free copies of Microsoft Office products. Teachers and administrators adopted them, forcing parents to also buy copies of Office. Now practically everyone's documents are locked up in Office formats, which Microsoft can change on a whim. Sure, there are products to read Office formats with varying levels of success, but Microsoft has the control and can make everyone jump through hoops whenever they feel like it.
Well yes but I feel like its because the threats of monopolization got less and less due to lobbying efforts but for the time, there are reports where microsoft was scared in the internal emails after what happened.
"Microsoft was more scared of taking over companies that were competitors because of this anti trust trial. They had to back off a little and this created this tiny little gap, this little window from which many flowers can bloom. These flowers ended up growing into massive trillion dollars competitors (google and apple)"
I would consider that much of what I wrote in the previous comment was I think something I had thought about but this particular video definitely helped me and you could say did influence me in a way to write the comment.
It also mentions how it was provable that Microsoft was scared about it. I am not sure about this contradiction though but I would consider that it atleast created a gap for around 10-18 years from which the tech giants emerged.
I can't help to worry, in all seriousness, that these changes are aligned somehow to the current administrations more authoritarian temperament. Can anyone relieve me of my concerns here?
Is there any good faith read of this that people can lend credence to? The one I could maybe come up with (with their mention of stability) is "we want OSes derived from AOSP to be stable, instead of following main too closely". They mention third party devs working off of stable too... so maybe they're like "instead of dealing with outside contributors messing around with our 'wip' stuff, we'll sign up for integration work".
Almost all device run on the initial android release (QPR0), and never shipped any of quarterly updates. Even less so using _main_ as a baseline so that point is moot.
With android 16 introducing "mid releases" (QPR2), they expect OEMs to start shipping those as well, QCOM already has a QPR2 BSP release, and Samsung is expected to release QPR2 based builds soon.
As far as contributions go, google usually wanted patches to apply to main, I don't think that ever changed.
And even there now that AOSP development is fully closed, it's even easier as partners will likely just upload patches against internal main instead. Less integration work there as well.
There really isn't a good explanation as to why they want to do move code drop cadence, other than they can and want to avoid wasting time releasing QPR1/3 that no OEM ever shipped (expect Pixels that is)
So the source code will be released in a kind of FreeBSD releases? These pieces work together, base things off them, don't mess with (or even see) any WIP stuff.
In other words, the result is still open, but the development process is not.
I don't work on Android, but I suspect it's a whole lot less work for both confidentiality and maintenance to not have to worry about daily/weekly OSS releases. That's probably worth more to the decisionmakers than the value of random contributions from people who aren't already inside the partner tent.
[edit] based on the other comments, I surmise that public pushes were already infrequent.
Android's foundation has been mostly stable for years now, with fairly minor changes between releases. So I guess they just don't want to deal with too many versions to document and support, given that device vendors are generally awful.
Also for a long time they were doing yearly (or longer) release, afaiu it's only the past two years that they switched to quarterly (with the QPR release).
Sure. Development at Google is glacially slow because nobody does any work, and so they're only publishing releases bi-annually because there aren't enough substantive changes to make quarterly releases seem important. This will also allow the teams to move to biannual OKRs instead of quarterly, which lets ICs and line managers do half as much work while giving executives justification for why they need twice as much headcount.
When it comes to large bureaucracies, always assume laziness over malice or strategic competence.
Every attempt since OpenMoko proves the market doesn't care.
And in what concerns the mainstream desktop/laptop market, macOS Linux VMs, WSL, ChromeOS, versus GNU/Linux OEM devices, proves most people doesn't care either what they can get at regular computer stores, otherwise GNU/Linux configurations would not be online only at very specific shops.
Mobile is a massive chicken-and-egg problem. The main purpose of a smartphone these days is to run apps. Nobody is going to buy a smartphone which can't run the apps they need in their day-to-day life. On the other hand, no company is going to write apps for a platform with basically zero users.
OpenMoko & friends are selling devices which basically only run Firefox, and sometimes make calls as well. The only people interested in that are diehard FLOSS enthusiasts, which means they have to use ancient hardware because new stuff doesn't have open drivers, which means that even if you ignore the app ecosystem they compare incredibly poorly to mainstream smartphones. No wonder they keep failing.
Interestingly, the desktop/laptop market is heading the other way. The move to cloud SaaS products means a decent number of people now only need a browser. What's keeping a lot of people on Windows is often literally one or two applications. Valve's push for Proton is the perfect example of this: the Steam Deck is providing a huge incentive to fix those last few bugs keeping a game from running on Linux, and with the way Microsoft is screwing up W11 it is now ironically the gamers who are moving to Linux.
What you are seeing in "regular computer stores" is mostly irrelevant. That market is basically dead. Corporate gets its machines directly from Dell/HP/Lenovo, PC enthusiasts mostly get custom builds, and casual people stick with smartphones and tablets. In-store PC sales is now reduced to a university student's Google Docs machine - and Microsoft is doing a pretty good job bribing the manufacturers to push Windows there.
What I see is regular people buy their computers at Media Market, Cool Blue, Saturn, Fnac, Public, Dixon, you name it.
Most of them have no clue that something like System 76 or Tuxedo exists in first place.
Likewise on corporate world, I have long moved into Windows/macOS as official desktops for the last decade, GNU/Linux is only available on VM or servers, and usually it is the cloud provider's own distro.
Those customers where IT allowed the use of GNU/Linux desktops, it was with zero support from them, it was up to us to deal ourselves with any issues preventing our work, and to deal with upper management, in case it impacts delivery.
Until SteamDeck gets rid of its dependency on Windows as source, it is pretty much irrelevant. Games developers will keep using their Windows workstations, while a community smaller than Switch, will get those games thanks to Proton.
And it remains to be seen for how long Microsoft will tolerate Steam, or use their weight as OS vendor, and one of the biggest publishers.
> Games developers will keep using their Windows workstations, while a community smaller than Switch, will get those games thanks to Proton.
Mobile GNU/Linux might end up in a similar situation if projects like Waydroid[0] can be well-integrated into the system, or if the mobile hardware becomes powerful enough to run it well.
OpenMoko phones were too underpowered to run Firefox, but they could run a ton of other apps. I was running non-AI automated human language translation on the thing.
You know, I could do without the telephone and SMS features nowadays. I just need a data SIM. Then the device just needs to run a Linux distro with a mobile UI.
I'm pretty sure my Linux desktop version of Signal runs great on small screens.
> Every attempt since OpenMoko proves the market doesn't care.
It's because people like you are constantly repeating this mantra of security nihilism [0], instead of spreading the word about true alternatives existing today, Librem 5 and Pinephone.
How much does Librem 5 cost? Are they able to deliver reasonably up-to-date set of features that general population care? Can you still buy them? Will they deliver in a reasonable amount of time? Will they be able to stay afloat? Can they make enough money to invest in features? Can they support an ecosystem that not only support FOSS but proprietary software too? Can they make contracts with operators to have earlier access to newer tech? Does the cost reflect the value that the customer gets out of them?
The answer for most of those questions is no for both Librem and Pinephone. You cannot even buy Pinephones anymore. This is not nihilism.
> Are they able to deliver reasonably up-to-date set of features that general population care?
It doesn't matter. We are not on a mainstream website, we're on HN. You and me can use it as a daily driver (I do). Nothing becomes mainstream and usable by public at the launch (except things advertised by the big tech of course).
> This is not nihilism.
Did you read the linked article? It's not about getting to 100% security/freedom without any effort. This is about giving up, as you did.
> How much does Librem 5 cost?
Yes, it's expensive. If you can't buy it, you can help in many other ways, e.g., by spreading the word or contributing to the free software.
It doesn't matter: The phone runs the mainline kernel and not locked down, it will be able to receive all updates even without Purism. You can install any other OS, too.
> Can they make enough money to invest in features?
Seems like no, because virtually nobody knows about them, even on HN. And, again, it doesn't really matter.
> Can they support an ecosystem that not only support FOSS but proprietary software too?
Why?
> Can they make contracts with operators to have earlier access to newer tech?
This is pure nihilism. Only Apple and Google can do that, so we're all doomed, right? However Purism have been trying, not without some progress, https://puri.sm/posts/breaking-ground/
> Does the cost reflect the value that the customer gets out of them?
Which aren't that great user experience for normal users anyway, with the apps and games everyone else on their friends circle is using, or needed for work.
Security not only matters, we are still far away from the same liability as in other industries.
GNU/Linux also had as baseline what other UNIXes were capable of, and even that had to grew for ACLs, NSA's LinuxSE, and containers.
And yeah, you can even buy phones with a non-android linux pre-installed, e.g. from pine64. But they come with all kinds of "for early adopters" warning labels. Deservedly so, in my opinion.
Hope there's a timeline in which banking and corporate apps can run/be enrolled on that. If the current geopolitical mess from the USA isn't a good-enough reason to make it happen, I don't know what is.
Why are all commenters on HN ignoring the only smartphone running an FSF-endorsed [0] operating system, Librem 5, and only list everything else? I just can't get it.
Because it was a kickstarter that was run like a scam, was years late to deliver the first device, the hardware was already not good at the start due picking an automotive SOC, the form factor was bulky, and the software was really buggy.
GrapheneOS is a much more practical open source OS to use Linux on a phone.
GrapheneOS is not solving the actual interesting problem (running on an entirely mainline kernel, just like on x86). It's effectively a hardened variety of LineageOS/AOSP, hence entirely reliant on device-specific downstream kernels/BSPs that will never see a feature update.
BTW, hardware support on postmarketOS "community" class devices has seen some nice improvements as of late. Once these improvements meaningfully stabilize (avoiding the risk of regression/breakage; there's been some of that even in the recent testing for the 2025-12 stable release) it's quite possible that some "community" devices might finally reach "main" class, marking them as OK for daily-driver use. Something to watch for as we approach 2026-06.
>GrapheneOS is not solving the actual interesting problem
Consumers don't care how interesting the developer's problems are. They want their own problems to be solved and GrapheneOS does a better job of that.
>running on an entirely mainline kernel
Google already did that work years ago. Android will work on a mainline kernel. Just like with x86 the mainline kernel needs to support the hardware e you want to use though.
And while Linus allows Linux to be open source. A benefit of open source is that you can fork it if upstream decides to stop development or go closed source.
>This doesn't work with GrapheneOS.
GrapheneOS can use free drivers too. It literally is using Linux.
> GrapheneOS can use free drivers too. It literally is using Linux.
Except there is no device with free drivers that it supports. They just refuse to support Librem or Pinephone without a good reason. (I strongly disagree with their "security" arguments.)
> A benefit of open source is that you can fork it if upstream decides to stop development or go closed source
Android is already semi-closed (see this submission). Are GrapheneOS developers forking it? (No)
That's not how it works. GPL only prevents old versions from becoming closed source. If Linus added code to the kernel which required a $100k license to redistribute then people could no longer freely distribute the code of the kernel. People could not freely distribute compile kernels because they would need that license. GPL doesn't magically make all licensing issues go away. He could also make a required kernel module that was not GPL licensed that Linux could require to operate.
>Except there is no device with free drivers that it supports.
Having a working system providing competitive value to others is much more important.
>They just refuse to support Librem or Pinephone without a good reason.
The good reason is that those devices can't provide industry standard security.
Because it's prohibitively expensive for something that isn't guaranteed to be a usable daily-driver for most people. Also IIRC the hardware isn't quite worth the price tag in-and-of-itself.
> We need a third alternative, based on freedom with your device.
We does not refer only to HN users, and there is no implication as such.
The default assumption is that 'we' refers to the general population.
However, even if I'm charitable and go with your assumption that 'we' referred to HN users, I will confidently say most HN users also don't care about FSF approval.
You like to post a lot of HN links without ever giving an indication of what they point to. As a habit, I don't waste my time clicking random links that people post without context.
You can sell the phones alright, and they might even work, but the fact is that participation in society - especially if you live in a city - will be much harder without Android/iOS.
Note, not impossible: You can always carry cash to avoid phone-based bank payments (which would be needed at e.g. my local farmer's market, where nobody has a card payment terminal), some taxi services (Yandex Go for example) provide a web view with some of the features, you can open map services in the browser ...
But for the browser-based cases the experience will be even worse than the standard app experience, and friction is overall much higher.
As a result, only a very small fraction of nerds are committed enough to buy and use these devices. You then have a chicken&egg problem about getting a third option to work.
The only way this has been done semi-successfully in recent years is Huawei's HarmonyOS - and they did it by way of a) already being an absolutely massive phone company, and b) keeping around an expensive Android-compatibility core for many years.
Yes, the chicken and the egg problem. But here is the thing, the more adopters there are the more likely to get support. Not to mention the userbase will be mainly in the EU.
The EU is entirely dependent on US services, which don't much care about a fringe phone OS some fraction of people in the EU use. It's like adding duck/egg, crow/egg and other similar problems into the dependency web, too.
The European Commission, as well as many individual countries, are starting to see that as a problem in need of urgent solving, as they've realized it's strategic suicide for a country to be dependent on the goodwill of the (potentially, now turned likely, and going for almost declared) enemy.
It’s a circle that needs to be broken. It has multiple parties even without device manufacturers.
Users - there is a broad scope of users. For sustainable eco-system you need also user interest and support of such.
Developers - that sounds funny. I know. But you need enough leverage to get apps or services to be open.
Companies/Software - a modern mobile device takes place in almost any interaction. Commuting, payment, banking, grocery shopping, social messaging, doom scrolling.
Biggest hope for the future is ensuring PWA becomes standardized enough.
That way the OS lock-in could be reduced.
> It’s a circle that needs to be broken. It has multiple parties even without device manufacturers.
Well, you're right, however badly I don't want to admit it. Google broke that cycle once with Android. I'm sure that Apple would have too, even if they were not the first mover. And there's no question that their wealth and influence had a massive role in it - something an open platform cannot match realistically.
But the current situation is simply untenable anymore. I want out, no matter how many others don't care for it. The open platform has to be just functional enough (including app support, even as PWAs), for us to break free from this duopoly. Just like how Linux and BSDs are on desktops. I'm able to do everything on it from work to netbanking. I would hate it really badly if I was forced to use Windows or MacOS these days.
We need a hardware attestation vendor who isn’t also selling ads on the same device. Something like, I dunno, an identity module which you could maybe insert into the phone?
We never had one on desktop; no real issues. Hardware attestation is primarily in the interest of the vendor, not the user. The user relies on chains of trust. This is how the world works.
This is because of legacy. And even now lots of people assemble and build PC.
My worry is one fine day Microsoft, Samsung Apple, and Google (rest of SV Media companies like Netflix etc) will join hands in bringing security and force a ChromeOS or macOS type totally- we decide everything for you.
But that's exactly why I advocate that the hardware attestation module be separate from the computing device - so I can be in control of what and when I attest, not the vendor.
Can you elaborate. Say I buy parts myself and install a fully FOSS OS on my machine. Let's say I want to access my bank, and they demand attestation. You propose I'd buy an off-the-shelf, universal attestation module of my chosing (free market). But how would that work from an implementation standpoint? How would the module help put e.g. my bank at ease?
Those actually exist. Yubikeys, Nitrokeys (complete FOSS FW) or bank-approved code generators (For Germany these exist: https://www.reiner-sct.com/tan-generatoren/) are basically that. They provide independent assessment. So regardless of the OS or the browser both parties can make secure transactions.
Open Harmony? I can't find what I would call authoritative information on how open it is. There's some hedging language about modules being closed source. But it's unclear if that refers to commercial versions of Harmony OS or Open Harmony, or if Open Harmony is open but somehow crippled.
Every time Android gets worse and less open, especially with recent ID verification for APK installs, I think Canonical's 2013 comment on closing Bug #1 ages even more like milk: https://bugs.launchpad.net/ubuntu/+bug/1
Bug: Microsoft has a majority market share
Almost always, a majority of PCs for sale have Microsoft Windows pre-installed. In the rare cases that they come with a GNU/Linux operating system or no operating system at all, the drivers and BIOS may be proprietary. [...] A majority of the PCs for sale should include only free software.
Closing comment:
Android may not be my or your first choice of Linux, but it is without doubt an open source platform that offers both practical and economic benefits to users and industry. So we have both competition, and good representation for open source, in personal computing.
Even though we have only played a small part in that shift, I think it's important for us to recognize that the shift has taken place. So from Ubuntu's perspective, this bug is now closed.
Ok, so at this point we’re getting iOS kernel source releases more often than AOSP drops? Maybe they should rename to i Open Source at this point because they seem to be doing a better job than Google at this now.
I wish I could understand why it is so difficult to build an un-googled android image.
One reason, I guess it's not possible because it's a complex OS?
But is the real obstacle being smartphone brands not publishing their hardware drivers?
It is so easy to install linux on a PC, yet I don't see the same happening for android while it's actually running a linux kernel, so it really begs the question.
It comes with optional sandboxed Google Play Services and Store, meaning that these run just like any other app, with no special permissions. You can give them only Network access. The Play Store is still the most secure way to download everyday apps, so a lot of GrapheneOS users use Google's Play Store with a burner account in a separate profile, usually the Owner (the main) profile - since you can then disable apps in Owner and install them into other profiles. And the sandboxed google stuff can be used to run proper Google apps without any problem. Even sandboxed Android Auto works.
> I wish I could understand why it is so difficult to build an un-googled android image.
> It is so easy to install linux on a PC, yet I don't see the same happening for android while it's actually running a linux kernel, so it really begs the question.
It's not particularly difficult -- see Graphene and Lineage. The main issue is that there are few phones on which to run these custom builds. Ironically, Google Pixels allow to run other operating systems than the one they come with (the bootloader can be unlocked). Other than the Pixel and a couple of Chinese models, you are looking at low-end or ancient hardware. You can't just build a phone without OS and install Linux/Android like you would on a PC.
> But is the real obstacle being smartphone brands not publishing their hardware drivers?
In part, afaik. On one hand, you have binary blobs that come from Google and you cannot generate yourself. The other part, is that you, as an individual, have no relationships with manufacturers so you have no access to their drivers.
I like the android way of security, where "rooting" your device to install updates is insecure, but using a horrifyingly out-of-date android (because your manufacturer, the only one who can update your device, didn't bother) is secure.
Not to mention, play integrity is being used a some sort of "anti cheats" by bank apps and other essential services. Even some government apps in the EU, essentially forcing you to be spied on by google.
The worse part is that, you can do all of those functionality with a browser on linux (or Android), yet to use them as Android apps on a device without gapps (even if jt's not rooted and with locked bootloader) is not allowed. Make this make sense.
> Even some government apps in the EU, essentially forcing you to be spied on by google.
The same in India. I can't use even the government weather app and the disaster alerts app without signing in to google play.
Seeing that this malpractice (of forcing the users into Google's surveillance net) is widespread among seemingly unrelated agencies like banks and government agencies of several nations, I would really like to know who is peddling this draconian scheme among them.
I want to send some angry rants to the app owners/developers and ask for those malicious peddlers to be permanently banned from further interference in cyber security matters of these institutions.
I would not be surprised if Google is sponsoring a lot of this efffort targeting young devs, and "teaching about security". They basically positioning their services as "authenticators" of truth, despite it 100% being cat and mouse game still.
That really makes sense though if you think about it. When a company has an annual revenue that would put them around the 43rd largest country by GDP, they could very well begin acting more like a state. States spy and states claim to be the arbiters of truth.
Play Integrity and Play Services are two different things.
Play Integrity is a remote attestation scheme by which apps can ask the OS to prove to a remote server that it is unmodified. It allows apps to refuse to run on devices with root or third-party ROMs.
Play Services is a set of libraries and APIs for things like network-based location, push notifications, and advertising. Nearly all Android phones include it, and users of third-party ROMs can add it at install time (but not later) with packages like MindTheGapps. There's an open source substitute called MicroG that allows most apps to run without it.
> Play Integrity and Play Services are two different things.
You're right in your elaboration, but I didn't mention which one it is. My primary concern is that it forces me to log in to my play services account, which I haven't agreed to so far.
> There's an open source substitute called MicroG that allows most apps to run without it.
It's not for the lack of trying and I probably wouldn't even be complaining if it had worked. Phones are getting harder to root these days, much less install a custom ROM. Everyday feels like the ecosystem is tightening around us.
moto g15 in hand, deguggled as much as possible right out of the box, no guggle accounts or big tech apps, bank through a browser, but there is defintly a lot of outright fraud as to bieng able to turn off google apps, it is an arcane procedure to turn off notifications, insisting that nothing will work without "play store" installed, though it is clear that going to a linux phone will become the only way to avoid adversurvielance security and tracking from taking over my device completly.
keep in mind that our techno facist elite did provide the "intel" that led to ICE bieng sent to a particular area code in minaipolis, where they executed a mild mannered chearfull poet, who's last words, somehow knowing, were, "i dont hate you".
"tech" is central to whatever comes next
Get a phone that runs GrapheneOS (second-hand Pixel 7 or 8 will do fine). Run apps that do not require it without Google Play Services and run apps that do require Google Play Services with the sandboxed Google Play Services. That will constrain the data that can be collected a lot.
(Yes, there will still be issues if you use apps that require Google's remote attestation, but at least in Europe, many banks etc. do not require it.)
Yeah India, because a lot of people are having their lives ruined by scammers everyday. Get off your fucking high horse, it literally protects users. Before you start judging, do a simple search. It's not one off cases.
The scamming problem is a fault of the government. It's trivial for a national government to make rules forcing banks to become able to reverse wrongful transactions. That'd stop scammers cold. If your government doesn't do this, and instead transfers the responsibility to the client, it's because the government doesn't care for the people.
Oh Please! Can't protect the users without forcing them to log on to Google and subject themselves to surveillance? That too even for the weather and the emergency alerts? Give me a break! And stop ruining the discussion with your misguided condescension and nationalist rhetoric.
I do not have a smartphone and have had no problem being a customer of multiple top banks. They strongly _encourage_ you to use apps, but if smartphones are against your unspecified religion, alternative paths always appear.
In EU? For internet banking you need a mobile phone or a dedicated hardware token (thing you own), as part of the Strong Customer Authentication (SCA) requirement under the PSD2 regulation: https://ec.europa.eu/newsroom/fisma/items/658958
I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.
This is untrue in reality. Literally I used more than 5 banking apps, and few investement ones (including 1 in the US). I could log in to all of them through a browser, using a phone number 2FA, or a proprietary authenticator of the bank (a physcial device). Never a bank forced me to use their app to login. It's an option though (and a convenient one). If that end up ever to be the case, I am for sure not using a google phone to do so. iPhone it is.
And here is the funny part. On my A13 Android (fully rooted, BL UL, custom ROM) I can totally bypass play integrity, using the keybox method. There is literally no way for google to patch this. I am yet to get it working on A16, mainly for lack of time to tinker, also because OP15 has no sources released yet to build ROMs for it, which is the main motivator for me to use an Android phone.
The takeaway is this: Google promotes "Play Integrity" (PI) as a working solution against "tempered devices" (ie. because god forbid you have sudo access on your device). Yet, it's easy (albeit a bit complex as you have to know the right telegram groups) to bypass it. PI gives the illusion of security, yet in reality it counter-solution exists. Real bad actors would have 0 issues doing what they want to do, the real impact is deterring users from open source roms like Lineage, simply because their bank app wouldn't work, which imo is Google plan all along masquerading as security feature. Google's main business is ads, and hosts based ad blocking is extremely easy once rooted.
Their recent moves align well with this (slow rollout of open sourcing, QPR2 is still not out yet, antagonizibg 3rd party stores like f-droid), all in the "name" of security.
Interesting. I just moved to Android from iOS with the idea of eventually switching to GrapheneOS, but was scared that my apps will randomly stop working as soon as Google catches up with the hacks. From what I heard it's a cat and mouse situation, they patch things, then android community finds a way. I do not want to find myself in a situation I need to use my bank or government app and fail because Google just caught up with the hack.
So what you're saying is that you can have it permanently 'fixed' with no shenanigans like that?
Between what the law says and what actually happens there's sometimes a gap.
I'm in the EU and currently I do online banking with 3 banks without using any app, i.e. thru a laptop browser. The 1st literally lets me stay logged in with a simple cookie, with an SMS 2FA requirement every 90 days. The 2nd additionally asks for a PIN to be entered at each session. The 3rd is a neobank and is tougher, requiring a TOTP (which I generate on the same machine, needless to say).
A 4th does require an app, and in fact can hardly even be used with a desktop OS. That bank is Revolut and I therefore don't use it and I recommend others avoid it too.
The reason this happens is because big companies get their software pen tested. Part of the pen test report will include something like “accessible from jailbroken devices.”
The pen test results get put into the ticket system as immovable entries. Engineers will question them, only to be shot down by the cyber security department who organized the pen test. The engineers will eventually accept that they cannot convince cyber to drop the issue, and implement the jail break detection.
Why does cyber mandate it? Because no one in a large company wants to accept the risk, even imaginary risk. They want to be able to say, when security is breached, “we did our due diligence. Look at the report, we implemented everything in it”
Why do firms offering penetration testing keep putting junk like this into their reports? Because their automated tools list them out and they’re getting paid to find issues. The more the better.
The Dutch ID app got rid of all trackers and such requirements last year, but they didn't go the full length and made an F-droid repo (or a government store or sth).
Google actively guiding developers to APIs like the Play Integrity API (which requires not only you register the phone with Google on a Google account, but also an untampered device, outdated or not.
I don't even root my devices, just using something like Lineage already gets you the basic-integrity Max. Not enough for many banking apps.
It's the security of the ecosystem, where the interests of app vendors are fundamental: content distributors can count on enforcing DRM, and banks are relying on the camera used for KYC actually being a camera and not a virtual device.
Android does have a meaningfully improved security over typical Linux desktop: the segmentation of data between apps. Imagine what would happen if people run all the proprietary crap they do on a typical Linux box. That's multiple spyware apps with full filesystem access.
Unfortunately, Google also uses it to abuse the user by also segmenting the user's access as well, "protecting" apps from the user, which is an abomination.
Me too. But you have to be a lot more careful about not running proprietary crap on the desktop, which is easier to do than on phone. Ever been forced to install some crap for some event/business/etc?
I have the somewhat controversial opinion that most Android apps are pretty much useless as native and they would be okay as a webapp if it would be more seamless.
I wouldn't disagree at all. But you often have to waste a lot of time to avoid them, if at all possible. It's a good thing that Android at least offers some protection against them exfiltrating your filesystem.
I think you had the wrong idea on security here, the security is for the device manufacturers benefit to obsolete the hardware and force you to buy a new one not for your benefit. All the data is already being shipped off to where the hell ever for building models of you for advertising and more.
The whole security of both Android and iOS is a joke at this point. We know now that plenty of apps/games have proxy services built in, allowing the publisher to monetize their users, by selling proxy services to AI companies. If that can happen, with all the "security" those platforms and store supposedly offer, then I fail to see the point.
We're being prevented from installing and updating software on the devices we own, but Google and Apple will happily approve and sign malware in their stores?
Android devices are enraging. ARM in general, why is there never a boot loader?
I have a little Android handheld game device that will allow me to dual boot a Linux from SD quite easily... but why can't I overwrite the existing install? I thought Android was more open and hackable than that.
I've got an Anbernic RG353M, came with a dual boot as you've described. I completely wiped it and only have ROCKNIX on there, a minimal distro based on LibreELEC, I believe. I actually maintained an Android + ROCKNIX dualboot at first, but it breaks the sleep function for some reason, and the ROCKNIX docs for this device say to remove Android, so eventually I did. I didn't actually use the Android side but had kept it around just in case before.
Not all these devices have the same level of support, so do your research on your model before trying to overwrite the install.
I went with a Retroid after seeing articles about people booting ROCKNIX on it. And one can, from SD. But I did not do enough research to see there was no documentation on writing Linux to the internal storage.
I'm so tired of doing research. I'd just like it to be a functioning BIOS. I at least learned my lesson and have stayed clear of other Android devices.
Those AI translations are really bad these days... In german it says in the subline "Verwenden Sie das Android-Betriebssystem, um Ihr Gerät mit Strom zu versorgen.", that means: Use Android to power your device with electricity.
Please don't show me your crappy translations any more.
I checked and it's indeed the translation Google Translate gives for "Use the Android operating system to power your device."
Gemini 3 Pro offers "Nutzen Sie die Power von Android für Ihr Gerät." as a modern, tech-savvy alternative, as well as more literal translations that correctly recognize the idiom.
Yeah, I, too, was confused by this translation at first glance... That reminded me of when I had to install M$ Office for work. The download button read "Büro herunterladen" (Büro is the exact german translation of Office)
Google is an increasingly evil company run from an increasingly evil country. No decent person with self-respect should run their code. Unfortunately the development has already gone so far that real alternatives are few (I don't consider Apple or Huawei alternatives. Typed on SailfishOS, but there are reasons that it's not my primary phone.)
Android started out as an open ecosystem that is slowly being closed. How much funding would it take to re-create a credible open-source ecosystem for phones?
And since Project Treble you wouldn't even get the drivers, because Android Linux is a pseudo-microkernel now, where drivers run in userspace and talk via Android IPC (Binder) with the kernel, enforced since Android 8.
By GPL, they're only obligated to release an offer that allows costumers to request the source code. They can still keep the source "closed" by default.
It has to be the source of the distribution the user currently has a copy of. So they can't just say "sure" and then wait until the next public release. I'm not sure about timeliness, though.
From other discussions, it sounds like they are shipping the copyleft source on time, only the permissive/pushover licensed stuff gets delayed source releases.
Android is open source partly because they can fund it from Play Store profits. Google is thinking that their Play Store profits are going to be cut, and they want to make the profit up elsewhere - and importantly, maintain control of the platform. This is their method.
They've already used this playbook in the past with Google Play Services, and even before that when they abandoned all the built-in open source apps (Email, Calendar, etc.).
redirect your efforts into other areas. I'd love a simpler device like https://www.waveshare.com/esp32-p4-wifi6-touch-lcd-7-8-10.1.... to be well supported with a lightweight friendly OS. This is about as root as you can get for those who want root access. You'll have to put in an effort yourselves or you'll forever be using slop devices and software.
This sounds like defeat - essentially retreating into niches that only a handful of enthusiasts will be using, while leaving the mainstream to Google etc.
why is everyone so negative about anything alternative. it won't succeed and all. how do you know? maybe it's not defeat. maybe you'd be better off without any devices.
Aka "We will do less releases because certain OEMs don't want to be seen as outdated as they don't want to spend the resources to rebase even 4 times per year."
That's not clear to me: Will they do fewer releases, or will they have the same quarterly release cadence as now, just with only every second release open source?
I meant OEMs rushing the gun on new features that aren't fully baked. That probably does add support burden. (I don't know if it happens anymore but it used to be a problem on the OEM forks)
They should at least be shipping monthly updates with the months security updates. Well some months have not had any since Google is now trying to batch them to be quarterly because OEMs couldn't keep up with monthly security fixes.
AOSP has felt different lately, what’s going on? Not much. ~
More like a change of tone.
Quarterly releases given more emphasis. More precise stability language. Rather than feeling like an afterthought, feature flags are now receiving first-class treatment.
My view.
The isolation of platform work is earlier.
Landing flags are occurring more frequently than ever.
By “Stable,” it appears the Intuit team is suggesting “boring” which is deliberate.
I have been using a simple lens.
The surface of the platform is slow and predictable.
A gated and reversible design.
The OEM risk will be pushed later.
I wonder how other people see it.
Is Android giving off more conservative vibes?
Are flags cutting down on breakage, or just relocating it?
Has your testing strategy changed if you’ve shipped against AOSP?
In a practitioner’s take, not in a press narrative.
There's no way this isn't intentional hostility towards forks.
Of course it is. But it isn't new. This was declared in March last year. We discussed it a lot here. It's only now that it's going into effect.
/s
All those years back I started calling it, since I built software for (long-lived) HMI devices that ran on Android
“Phone by Google” is disgusting.
Except for RCS, that's completely locked down and is pretty solidly becoming literally just Google. Fuck RCS.
Implementing them independently is extremely difficult and even if you manage to do it you cannot have them commercially available due to radio regulation and patents. Even academic research can only be done with collaboration of those huge companies.
It is impossible to make a phone that is LTE capable completely independently (or even without nation state support). You cannot implement VoLTE or RCS without support from the carriers. They all have their own proprietary protocol on top of the standards.
Google has basically infinite money and their own patents and industry relationships and government support so they can figure out RCS. An indie company, even with infinitely motivated engineers and good funding do not have any of it.
Now I run a S23 Ultra and after two years it still does everything I need. OneUI 8.0 and Android 16. For work (app de) I also have a Pixel 7a, always with the newest Android Beta. Also works well.
Even the entry level phones work OK to pretty good now. My Samsung A16 5G (also for work) functions surprisingly well for 150€.
Maybe, but it is fully under Google and Samsung's control, and is choke full of spyware. You couldn't pay me to use a stock (Googled) Android phone for this reason alone.
I'm on year 5 of my Samsung s21u that I can replace the Samsung ux slop with asop ports
The 17 Pro (non-Max) only comes with up to 1TB of storage, but that's still more than my 15 of before.
I'm truly sorry about you having to re-live the trauma of using iPhone all the time.
My question is then the same of anyone who prefer to give up freedoms to centralized seemingly benevolent dictators: What happens when you are told you can no longer do something you were previously allowed to do, that is only in the interest of the centralized power?
Of course if I really cared about privacy, I would just install GrapheneOS or LineageOS on supported Android device, so no Apple in that case either.
Android will soon become fully closed source. The writing is on the wall.
https://news.ycombinator.com/item?id=46550366
Yes.
I think the future lies in organisation's bound by ties other that money
In my home town there is an example: Kai Tahu (https://en.wikipedia.org/wiki/Ng%C4%81i_Tahu#Trading_enterpr...)
Family based. Start with $170M in the 1990s and now worth billions
The basically aquire and never divest.
Not sure why people downvoted but this is sort of true
Microsoft was absolutely dominating and buying up everything (similar to today's tech giants) and they were literally the most mega corporation ever
Until they got hit by the monopoly lawsuit. That alone scared microsoft so much that it backed off
After the backing off is when Companies like google, heck Apple was directly invested to be saved by microsoft just so that they dont get threatened by the govt as monopoly and amazon.
In a way people mention so why couldn't Microsoft create their own engine but its also the fact that blink/chromium is based on fork of webkit which itself is a fork of KHTML from the kde team but webkit added many features (from what I could tell) and is a really complex software in it of itself
This was created by apple and apple as we know it would not have been able to exist without Microsoft backing off them
My point here is that in previous times, Microsoft was a large curtain blocking any innovation if they wanted but after it was feared by even a threat like monopoly, they took it very seriously and thus we have the cultural innovation in many ways that we have
Now the monopoly question was a genuine question still launched by the government.
Today the landscape is different, Google and these large tech companies would buy things and the meta strategy has become to sell, its a very cynical point of things which really just ends up screwing the customers in the end.
The government doesn't care, it might slap some 1% fine and there is a quote that if crime's punishment becomes only fines, then crime becomes legal and the fines compared to company are so small and they got legal structure so high that they strech it for as much as possible
Overall, the govt.'s being really lobbied by these tech giants and they stiffle tech innovation in the end
In the end all of them are the same, they all kind of want to be a microsoft pre monopoly era.
Govt's lack of understanding of the matters around the world is the reason why tech feels so intrusive. This has real consequences to you and me, now I don't trust the govt will be able to improve if its gets lobbied or corrupted and that's a seperate matter and might take new laws all around the world to prevent such corruption / lobbying but right now, the other best thing is to showcase support by being the minor fraction of the population who supports/donates to open source / msme businesses
"Microsoft was more scared of taking over companies that were competitors because of this anti trust trial. They had to back off a little and this created this tiny little gap, this little window from which many flowers can bloom. These flowers ended up growing into massive trillion dollars competitors (google and apple)"
Per Atrioc (https://youtu.be/VS6p5kPeD9I?si=PUT4R5a7Y4kiIvD2&t=692) [Title of the video being the Halo scheme is insane talking about groq's weird acquisition by nvidia]
I would consider that much of what I wrote in the previous comment was I think something I had thought about but this particular video definitely helped me and you could say did influence me in a way to write the comment.
It also mentions how it was provable that Microsoft was scared about it. I am not sure about this contradiction though but I would consider that it atleast created a gap for around 10-18 years from which the tech giants emerged.
With android 16 introducing "mid releases" (QPR2), they expect OEMs to start shipping those as well, QCOM already has a QPR2 BSP release, and Samsung is expected to release QPR2 based builds soon.
As far as contributions go, google usually wanted patches to apply to main, I don't think that ever changed. And even there now that AOSP development is fully closed, it's even easier as partners will likely just upload patches against internal main instead. Less integration work there as well.
There really isn't a good explanation as to why they want to do move code drop cadence, other than they can and want to avoid wasting time releasing QPR1/3 that no OEM ever shipped (expect Pixels that is)
In other words, the result is still open, but the development process is not.
[edit] based on the other comments, I surmise that public pushes were already infrequent.
Is the source code available at all times? This is a genuine question, I don't know right now.
When it comes to large bureaucracies, always assume laziness over malice or strategic competence.
And in what concerns the mainstream desktop/laptop market, macOS Linux VMs, WSL, ChromeOS, versus GNU/Linux OEM devices, proves most people doesn't care either what they can get at regular computer stores, otherwise GNU/Linux configurations would not be online only at very specific shops.
OpenMoko & friends are selling devices which basically only run Firefox, and sometimes make calls as well. The only people interested in that are diehard FLOSS enthusiasts, which means they have to use ancient hardware because new stuff doesn't have open drivers, which means that even if you ignore the app ecosystem they compare incredibly poorly to mainstream smartphones. No wonder they keep failing.
Interestingly, the desktop/laptop market is heading the other way. The move to cloud SaaS products means a decent number of people now only need a browser. What's keeping a lot of people on Windows is often literally one or two applications. Valve's push for Proton is the perfect example of this: the Steam Deck is providing a huge incentive to fix those last few bugs keeping a game from running on Linux, and with the way Microsoft is screwing up W11 it is now ironically the gamers who are moving to Linux.
What you are seeing in "regular computer stores" is mostly irrelevant. That market is basically dead. Corporate gets its machines directly from Dell/HP/Lenovo, PC enthusiasts mostly get custom builds, and casual people stick with smartphones and tablets. In-store PC sales is now reduced to a university student's Google Docs machine - and Microsoft is doing a pretty good job bribing the manufacturers to push Windows there.
Most of them have no clue that something like System 76 or Tuxedo exists in first place.
Likewise on corporate world, I have long moved into Windows/macOS as official desktops for the last decade, GNU/Linux is only available on VM or servers, and usually it is the cloud provider's own distro.
Those customers where IT allowed the use of GNU/Linux desktops, it was with zero support from them, it was up to us to deal ourselves with any issues preventing our work, and to deal with upper management, in case it impacts delivery.
Until SteamDeck gets rid of its dependency on Windows as source, it is pretty much irrelevant. Games developers will keep using their Windows workstations, while a community smaller than Switch, will get those games thanks to Proton.
And it remains to be seen for how long Microsoft will tolerate Steam, or use their weight as OS vendor, and one of the biggest publishers.
Mobile GNU/Linux might end up in a similar situation if projects like Waydroid[0] can be well-integrated into the system, or if the mobile hardware becomes powerful enough to run it well.
[0]: https://waydro.id
I'm pretty sure my Linux desktop version of Signal runs great on small screens.
At least for mean almost everything has moved into the browser except, Whatsapp, maps, and music
It's because people like you are constantly repeating this mantra of security nihilism [0], instead of spreading the word about true alternatives existing today, Librem 5 and Pinephone.
[0] https://news.ycombinator.com/item?id=27897975
The answer for most of those questions is no for both Librem and Pinephone. You cannot even buy Pinephones anymore. This is not nihilism.
Sure you can. The Pinephone Pro is discontinued, sadly, but regular Pinephones are able to be purchased, I just double checked the PINE64 store:
https://pine64.com/product/pinephone-beta-edition-with-conve...
No, they are very much an experiment at the moment.
> Does the cost reflect the value that the customer gets out of them?
Also no, for what they are they are vastly overprices. It makes much more sense to buy an old device that an run Lineage or PMOS.
It doesn't matter. We are not on a mainstream website, we're on HN. You and me can use it as a daily driver (I do). Nothing becomes mainstream and usable by public at the launch (except things advertised by the big tech of course).
> This is not nihilism.
Did you read the linked article? It's not about getting to 100% security/freedom without any effort. This is about giving up, as you did.
> How much does Librem 5 cost?
Yes, it's expensive. If you can't buy it, you can help in many other ways, e.g., by spreading the word or contributing to the free software.
> Can you still buy them?
Yes: https://shop.puri.sm/shop/librem-5/
> Are they able to deliver reasonably up-to-date set of features that general population care?
It doesn't matter. It can provide you with the main features you may need and add something you can't get anywhere else, https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F....
Further development can deliver most required features to the public, too, https://puri.sm/posts/closing-the-app-gap-momentum-and-time/.
> Will they deliver in a reasonable amount of time?
Yes, 10 working days, according to their website, https://puri.sm/products/librem-5/
> Will they be able to stay afloat?
It doesn't matter: The phone runs the mainline kernel and not locked down, it will be able to receive all updates even without Purism. You can install any other OS, too.
> Can they make enough money to invest in features?
Seems like no, because virtually nobody knows about them, even on HN. And, again, it doesn't really matter.
> Can they support an ecosystem that not only support FOSS but proprietary software too?
Why?
> Can they make contracts with operators to have earlier access to newer tech?
This is pure nihilism. Only Apple and Google can do that, so we're all doomed, right? However Purism have been trying, not without some progress, https://puri.sm/posts/breaking-ground/
> Does the cost reflect the value that the customer gets out of them?
Probably yes, https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...
Typed and submitted entirely on my Librem 5.
Security not only matters, we are still far away from the same liability as in other industries.
GNU/Linux also had as baseline what other UNIXes were capable of, and even that had to grew for ACLs, NSA's LinuxSE, and containers.
There is https://postmarketos.org/
Maybe 2026 will be the year of Linux on mobile phone.
And yeah, you can even buy phones with a non-android linux pre-installed, e.g. from pine64. But they come with all kinds of "for early adopters" warning labels. Deservedly so, in my opinion.
[0] https://news.ycombinator.com/item?id=25504641
GrapheneOS is a much more practical open source OS to use Linux on a phone.
BTW, hardware support on postmarketOS "community" class devices has seen some nice improvements as of late. Once these improvements meaningfully stabilize (avoiding the risk of regression/breakage; there's been some of that even in the recent testing for the 2025-12 stable release) it's quite possible that some "community" devices might finally reach "main" class, marking them as OK for daily-driver use. Something to watch for as we approach 2026-06.
Consumers don't care how interesting the developer's problems are. They want their own problems to be solved and GrapheneOS does a better job of that.
>running on an entirely mainline kernel
Google already did that work years ago. Android will work on a mainline kernel. Just like with x86 the mainline kernel needs to support the hardware e you want to use though.
While Google is allowing that.
> Just like with x86 the mainline kernel needs to support the hardware e you want to use though
Librem 5 runs on all free drivers. This is why it will never be tied to an old kernel. This doesn't work with GrapheneOS.
And while Linus allows Linux to be open source. A benefit of open source is that you can fork it if upstream decides to stop development or go closed source.
>This doesn't work with GrapheneOS.
GrapheneOS can use free drivers too. It literally is using Linux.
Linus can't close the kernel. He would need to ask all contributors for a signed agreement for that. This is the benefit of GPL.
See also: https://news.ycombinator.com/item?id=46177148
> GrapheneOS can use free drivers too. It literally is using Linux.
Except there is no device with free drivers that it supports. They just refuse to support Librem or Pinephone without a good reason. (I strongly disagree with their "security" arguments.)
> A benefit of open source is that you can fork it if upstream decides to stop development or go closed source
Android is already semi-closed (see this submission). Are GrapheneOS developers forking it? (No)
That's not how it works. GPL only prevents old versions from becoming closed source. If Linus added code to the kernel which required a $100k license to redistribute then people could no longer freely distribute the code of the kernel. People could not freely distribute compile kernels because they would need that license. GPL doesn't magically make all licensing issues go away. He could also make a required kernel module that was not GPL licensed that Linux could require to operate.
>Except there is no device with free drivers that it supports.
Having a working system providing competitive value to others is much more important.
>They just refuse to support Librem or Pinephone without a good reason.
The good reason is that those devices can't provide industry standard security.
This is false, https://www.gnu.org/licenses/gpl-faq.html#LinkingWithGPL
> Having a working system providing competitive value to others is much more important.
I don't consider dependence on Google as "working for the users".
> The good reason is that those devices can't provide industry standard security.
Obeying Google is not "security", even if it's the industry standard.
See my other reply concerning this: https://news.ycombinator.com/item?id=46569163
> hardware isn't quite worth the price tag in-and-of-itself
https://puri.sm/posts/the-danger-of-focusing-on-specs/
> We need a third alternative, based on freedom with your device.
We does not refer only to HN users, and there is no implication as such.
The default assumption is that 'we' refers to the general population.
However, even if I'm charitable and go with your assumption that 'we' referred to HN users, I will confidently say most HN users also don't care about FSF approval.
> See also: https://news.ycombinator.com/item?id=46569163
You like to post a lot of HN links without ever giving an indication of what they point to. As a habit, I don't waste my time clicking random links that people post without context.
Considering the ongoing DRAM and SSD crunch, I won't hold my breath.
I'm currently working on an OS image for the Hackberry devices, maybe it'll get some traction. [1]
[1] https://github.com/rogueberry
[2] https://github.com/ZitaoTech/HackberryPiCM5
Note, not impossible: You can always carry cash to avoid phone-based bank payments (which would be needed at e.g. my local farmer's market, where nobody has a card payment terminal), some taxi services (Yandex Go for example) provide a web view with some of the features, you can open map services in the browser ...
But for the browser-based cases the experience will be even worse than the standard app experience, and friction is overall much higher.
As a result, only a very small fraction of nerds are committed enough to buy and use these devices. You then have a chicken&egg problem about getting a third option to work.
The only way this has been done semi-successfully in recent years is Huawei's HarmonyOS - and they did it by way of a) already being an absolutely massive phone company, and b) keeping around an expensive Android-compatibility core for many years.
Users - there is a broad scope of users. For sustainable eco-system you need also user interest and support of such.
Developers - that sounds funny. I know. But you need enough leverage to get apps or services to be open.
Companies/Software - a modern mobile device takes place in almost any interaction. Commuting, payment, banking, grocery shopping, social messaging, doom scrolling.
Biggest hope for the future is ensuring PWA becomes standardized enough. That way the OS lock-in could be reduced.
Well, you're right, however badly I don't want to admit it. Google broke that cycle once with Android. I'm sure that Apple would have too, even if they were not the first mover. And there's no question that their wealth and influence had a massive role in it - something an open platform cannot match realistically.
But the current situation is simply untenable anymore. I want out, no matter how many others don't care for it. The open platform has to be just functional enough (including app support, even as PWAs), for us to break free from this duopoly. Just like how Linux and BSDs are on desktops. I'm able to do everything on it from work to netbanking. I would hate it really badly if I was forced to use Windows or MacOS these days.
We never had one on desktop; no real issues. Hardware attestation is primarily in the interest of the vendor, not the user. The user relies on chains of trust. This is how the world works.
My worry is one fine day Microsoft, Samsung Apple, and Google (rest of SV Media companies like Netflix etc) will join hands in bringing security and force a ChromeOS or macOS type totally- we decide everything for you.
(My impression was based on lwn discussions about that change)
Edit: https://android.googlesource.com/kernel/common/ has a lot of recent changes
One reason, I guess it's not possible because it's a complex OS?
But is the real obstacle being smartphone brands not publishing their hardware drivers?
It is so easy to install linux on a PC, yet I don't see the same happening for android while it's actually running a linux kernel, so it really begs the question.
It comes with optional sandboxed Google Play Services and Store, meaning that these run just like any other app, with no special permissions. You can give them only Network access. The Play Store is still the most secure way to download everyday apps, so a lot of GrapheneOS users use Google's Play Store with a burner account in a separate profile, usually the Owner (the main) profile - since you can then disable apps in Owner and install them into other profiles. And the sandboxed google stuff can be used to run proper Google apps without any problem. Even sandboxed Android Auto works.
It's not particularly difficult -- see Graphene and Lineage. The main issue is that there are few phones on which to run these custom builds. Ironically, Google Pixels allow to run other operating systems than the one they come with (the bootloader can be unlocked). Other than the Pixel and a couple of Chinese models, you are looking at low-end or ancient hardware. You can't just build a phone without OS and install Linux/Android like you would on a PC.
Android is open source, does that mean brands don't release the drivers, or the scripts involved in making the images?
Are those drivers and scripts proprietary?
As rooting may tamper the google's telemetry (can we already call it "spying" please).
The worse part is that, you can do all of those functionality with a browser on linux (or Android), yet to use them as Android apps on a device without gapps (even if jt's not rooted and with locked bootloader) is not allowed. Make this make sense.
The same in India. I can't use even the government weather app and the disaster alerts app without signing in to google play.
Seeing that this malpractice (of forcing the users into Google's surveillance net) is widespread among seemingly unrelated agencies like banks and government agencies of several nations, I would really like to know who is peddling this draconian scheme among them.
I want to send some angry rants to the app owners/developers and ask for those malicious peddlers to be permanently banned from further interference in cyber security matters of these institutions.
Play Integrity is a remote attestation scheme by which apps can ask the OS to prove to a remote server that it is unmodified. It allows apps to refuse to run on devices with root or third-party ROMs.
Play Services is a set of libraries and APIs for things like network-based location, push notifications, and advertising. Nearly all Android phones include it, and users of third-party ROMs can add it at install time (but not later) with packages like MindTheGapps. There's an open source substitute called MicroG that allows most apps to run without it.
You're right in your elaboration, but I didn't mention which one it is. My primary concern is that it forces me to log in to my play services account, which I haven't agreed to so far.
> There's an open source substitute called MicroG that allows most apps to run without it.
It's not for the lack of trying and I probably wouldn't even be complaining if it had worked. Phones are getting harder to root these days, much less install a custom ROM. Everyday feels like the ecosystem is tightening around us.
https://calebhearth.com/dont-get-distracted
(Yes, there will still be issues if you use apps that require Google's remote attestation, but at least in Europe, many banks etc. do not require it.)
This isn't true, actually. Banks and gov entities use those mobile apps as authenticators. They do have a distinct purpose.
I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.
And here is the funny part. On my A13 Android (fully rooted, BL UL, custom ROM) I can totally bypass play integrity, using the keybox method. There is literally no way for google to patch this. I am yet to get it working on A16, mainly for lack of time to tinker, also because OP15 has no sources released yet to build ROMs for it, which is the main motivator for me to use an Android phone.
The takeaway is this: Google promotes "Play Integrity" (PI) as a working solution against "tempered devices" (ie. because god forbid you have sudo access on your device). Yet, it's easy (albeit a bit complex as you have to know the right telegram groups) to bypass it. PI gives the illusion of security, yet in reality it counter-solution exists. Real bad actors would have 0 issues doing what they want to do, the real impact is deterring users from open source roms like Lineage, simply because their bank app wouldn't work, which imo is Google plan all along masquerading as security feature. Google's main business is ads, and hosts based ad blocking is extremely easy once rooted.
Their recent moves align well with this (slow rollout of open sourcing, QPR2 is still not out yet, antagonizibg 3rd party stores like f-droid), all in the "name" of security.
So what you're saying is that you can have it permanently 'fixed' with no shenanigans like that?
I'm in the EU and currently I do online banking with 3 banks without using any app, i.e. thru a laptop browser. The 1st literally lets me stay logged in with a simple cookie, with an SMS 2FA requirement every 90 days. The 2nd additionally asks for a PIN to be entered at each session. The 3rd is a neobank and is tougher, requiring a TOTP (which I generate on the same machine, needless to say).
A 4th does require an app, and in fact can hardly even be used with a desktop OS. That bank is Revolut and I therefore don't use it and I recommend others avoid it too.
The pen test results get put into the ticket system as immovable entries. Engineers will question them, only to be shot down by the cyber security department who organized the pen test. The engineers will eventually accept that they cannot convince cyber to drop the issue, and implement the jail break detection.
Why does cyber mandate it? Because no one in a large company wants to accept the risk, even imaginary risk. They want to be able to say, when security is breached, “we did our due diligence. Look at the report, we implemented everything in it”
Why do firms offering penetration testing keep putting junk like this into their reports? Because their automated tools list them out and they’re getting paid to find issues. The more the better.
It’s insane and entirely about passing off risk.
The Dutch ID app got rid of all trackers and such requirements last year, but they didn't go the full length and made an F-droid repo (or a government store or sth).
Google actively guiding developers to APIs like the Play Integrity API (which requires not only you register the phone with Google on a Google account, but also an untampered device, outdated or not.
I don't even root my devices, just using something like Lineage already gets you the basic-integrity Max. Not enough for many banking apps.
The term has fallen by the wayside and hardly ever gets used nowadays.
Unfortunately, Google also uses it to abuse the user by also segmenting the user's access as well, "protecting" apps from the user, which is an abomination.
Exceptions would maybe be games.
We're being prevented from installing and updating software on the devices we own, but Google and Apple will happily approve and sign malware in their stores?
I have a little Android handheld game device that will allow me to dual boot a Linux from SD quite easily... but why can't I overwrite the existing install? I thought Android was more open and hackable than that.
https://worthdoingbadly.com/qcomxbl/
Not all these devices have the same level of support, so do your research on your model before trying to overwrite the install.
I'm so tired of doing research. I'd just like it to be a functioning BIOS. I at least learned my lesson and have stayed clear of other Android devices.
Please don't show me your crappy translations any more.
Gemini 3 Pro offers "Nutzen Sie die Power von Android für Ihr Gerät." as a modern, tech-savvy alternative, as well as more literal translations that correctly recognize the idiom.
And since Project Treble you wouldn't even get the drivers, because Android Linux is a pseudo-microkernel now, where drivers run in userspace and talk via Android IPC (Binder) with the kernel, enforced since Android 8.
If a user asks for the source, and the distributor says "sure" and then delivers it 12 months later, have they violated the license?
They are trying to avoid it, but I doubt the EU will let this stand:
https://www.developer-tech.com/news/google-alters-play-store...
Android is open source partly because they can fund it from Play Store profits. Google is thinking that their Play Store profits are going to be cut, and they want to make the profit up elsewhere - and importantly, maintain control of the platform. This is their method.
They've already used this playbook in the past with Google Play Services, and even before that when they abandoned all the built-in open source apps (Email, Calendar, etc.).
Aka "We will do less releases because certain OEMs don't want to be seen as outdated as they don't want to spend the resources to rebase even 4 times per year."
More like a change of tone.
Quarterly releases given more emphasis. More precise stability language. Rather than feeling like an afterthought, feature flags are now receiving first-class treatment.
My view.
The isolation of platform work is earlier.
Landing flags are occurring more frequently than ever.
By “Stable,” it appears the Intuit team is suggesting “boring” which is deliberate.
I have been using a simple lens.
The surface of the platform is slow and predictable.
A gated and reversible design.
The OEM risk will be pushed later.
I wonder how other people see it.
Is Android giving off more conservative vibes?
Are flags cutting down on breakage, or just relocating it?
Has your testing strategy changed if you’ve shipped against AOSP?
In a practitioner’s take, not in a press narrative.