F-Droid version of KDEConnect uninstalled by PlayProtect (opens in new tab)

I'm running lineageOS, and I had to root the phone to make one banking app work (and Netflix and some games.)

It actually passes SafetyNet out of the box, but there's a CTS profile check that some apps do in addition to SafetyNet, and I had to root the phone to make it provide a profile that those apps are happy with. And then I had to install a SafetyNet bypass, because fixing the CTS profile broke SafetyNet.

It un-roots itself every time I install an update, which is kind of a pain in the ass, but someone wrote a script to re-root lineageOS (from a desktop computer), so it's not too bad these days.

I use GrapheneOS daily and use banking, government, and other sensitive apps without problem. It's a common myth that you can't use those apps on GrapheneOS.

You can run all of these apps with GrapheneOS, in that regard it's very different than LineageOS because it has a compatibility layer as a first class feature [0]. You can either create a different user profile and install the play services there or create a work profile (with shelter) and install google services there. I keep my banking apps in a work profile and shelter completely freezes/disables them when I'm not using them. Otherwise they work fine. I do want to note that I'm fine with only using apps from F-Droid in my main profile. I mostly use NewPipe, FairEmail, KeePass and Harmonic (HN client) and that's about it. I don't tend to create accounts on websites but if you use social media this setup will probably not be the most compatible. It's honestly mind blowing though. I've never ran a custom ROM with such a "vanilla" experience, even getting OTA updates within a week of them being out for Android.

[0]: https://grapheneos.org/faq#google-services

In my experience, most banking apps are horrible and not worth using over accessing the bank's browser version.

Device attestation works for banking applications on GrapheneOS.

The only thing which doesn't work is google wallet because they explcitly expect a Google signed operating system.

When I started using GrapheneOS several years ago, I quickly realized I had jumped a lot further down the FOSS rabbit hole than I realized.

Today, I consider the inability to use government or banking apps on a device that travels in my pocket a feature, not a bug, but it was indeed a steep and sometimes unpleasant learning curve.

LineageOS is supported on a bit more devices, and works with microG if you're willing to sacrifice Google Pay for better battery life and less privacy violations: https://lineage.microg.org/

Even in the US, the limited hardware support is a barrier right now, especially with having to find a unit that has an unblockable bootloader.

But it's still doable for many people. I most recently bought a second-hand Pixel 6a for GrapheneOS, and BYOD it to an inexpensive no-contract plan.

Pixel 6a units with unlockable bootloaders are currently $235+ on US eBay, which is less than new current Pixels and iPhones bought outright, but more than many lower-end devices, and more upfront than people pay for contract plans that toss in a phone.

Aren’t those kind of phones typically infested with malware from the manufacturer to begin with, making Google’s stalking the least of your worries?

Can you share some examples?

It's very interesting because 1/4 of Pixel 6a would be around 80 EUR... so I wonder about your environment and what workarounds you have for these problems.

I got lucky and bought a barely used Pixel 3a for ~ $130 USD. But yes, it was hard to find.

It was much easier to find a Pixel 4 or a 4a, but those were too expensive for me.

Also Volla OS.

Banks in many countries require an Android phone for online banking. Even if they offer an online-banking website that you can access with any browser, you may still need the Android app for 2FA. This is one of a number of reasons why the PinePhone or Librem is unfortunately not a daily driver. Also, things like paying for parking or interacting with public services are moving to Android apps in some places.

It's the regulation that should focus on creating the foundations of alternative systems, not the phone manufacturers. If a bank doesn't have a website, or a govt app doesn't have a website equivalent, then Librem & co is already out of the picture, from the everyday usability standpoint. To provide the citizens freedoms, service providers need to be forced to use open standards, like HTTP & HTML, to serve an standard interface that has all the necessary functionality. No matter how many grassroots initiatives we have, if this is not provided, they are automatically all out of the race.

So really, if anything, I'd like people to focus on regulation.

No it isn't, as unlike the others, grapheneOS is actually usable and dailyable.

You make a convincing argument. I'm switching to GrapheneOS for my next phone upgrade. Here is the source code: https://grapheneos.org/source

> “he used GrapheneOS” is 100% going to be used against you in court.

I look forward to using this as a litmus test for legal representation.

> “he used GrapheneOS” is 100% going to be used against you in court.

Has that ever happened?

I hadn't heard of that, and people have been running GrapheneOS (and Copperhead before it) for many years.

The first person I knew using it was a lawyer at Harvard Law School.

The constant nagging when you tell Google "no" shows how little respect they have for their users. Messages by Google, which is primarily an SMS app, is asking me every 1-2 weeks to enable RCS chats. The link for declining the request is small and easy to miss, while the AGREE button below it takes up 25% of the area of the popup.

Dear Google UX designers, the way you present your little "decline" links is illegal in the EU. I'm sure you've got these design directives from a product manager, but you can still say "no" to breaking the law.

The only acceptable phone for me has been a Pixel phone, with GrapheneOS installed. I do wish the permission to install/uninstall were separated for something like this (I may be naive). I have everything installed to a work profile in Android (using the Shelter app). I can globally pause all work-profile apps. It's not the best, because when unpaused I'm not getting some notifications. I need to figure that out.

I agree this is google doing evil and there should be government intervention for this kind of shit.

There's a timer that re-enables the Play Protect nag after a certain period of time. I can't remember how many days it is.

You can permanently disable it by running the following over ADB or a local shell. Works for me.

    # This should disable Play Protect. Maybe.
    # https://android.stackexchange.com/questions/187097/is-there-a-way-to-control-use-google-play-protect-together-with-microg-open-sou
    settings put global package_verifier_enable 0
    settings put global package_verifier_user_consent -1
    settings put secure package_verifier_user_consent -1
    settings put global upload_apk_enable 0
    settings put global PACKAGE_VERIFIER_SETTING_VISIBLE 1
    settings put global PACKAGE_VERIFIER_INCLUDE_ADB 0

> This is precisely one of the perks of rooting.

Rather, it's a benefit of an unlocked bootloader; you can root a device with a locked bootloader, and you can use an unlocked bootloader to install an unrooted OS (or, for that matter, you can unlock the bootloader without rooting, depending on the device).

> Unless you mean as a right, without needing to root? I'd disagree (from a corporate/warranty perspective), but I'll bite

Why? I mean, sure, if the manufacturer can show that damage resulted from the user modifying the device then fine, but otherwise there's no reason for modifying software to affect a warranty on hardware.

Do you think the ability for the owner to root is not worthy of protections? It seems odd to draw that distinction when they are two sides of the same coin

That's my bet as well, the signature difference probably makes it look like one of the many fake APKs people often download from piracy sites and malware infested file sharing sites.

Unfortunately, Google doesn't let you upload an APK with your own signature to Google Play anymore, so the devs can't really offer any solution. Best I can come up with is downloading the signed version from Google Play and uploading that, but that'd make updating the app wirhout uninstalling impossible for most of their users. Same with offering the free version as a different package name as the proprietary version, existing users would lose updates.

Google needs to fix this because they're basically killing every alternative app store this way, which probably violates the DMA/DSA law (whichever applies here) in quite a major way.

Even if it is like you state, link directly there, to the exact posts that prove this and not in an intermediate site. HN is supposed to keep a higher post standard

Thanks for sharing! Looks like there is now a more active fork at https://github.com/sannidhyaroy/Soduto