• Free Palestine 🇵🇸@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          No, it definitely isn’t. Stop spreading false information and potentially giving people a false sense of security. LineageOS isn’t even as secure as stock Android, it’s definitely not as secure as GrapheneOS as GOS has many security improvements compared to the AOSP. Some examples are the hardened C Library, hardened memory allocator, improved SELinux policies, secure app spawning, hardened browser (Vanadium) which is also used for WebView, etc. LineageOS doesn’t even allow you to relock the bootloader, meaning anyone can modify the system because Android Verified Boot only works with a locked bootloader. It doesn’t have any of the security features that GrapheneOS adds on top of AOSP, it also lacks basic security features from AOSP. It’s ok for tinkering, but I would never use Lineage on a production device. You can read the section about LineageOS of this blog post: https://madaidans-insecurities.github.io/android.html#lineageos

          Quote:

          A common ROM that has many of these issues is LineageOS:

          • LineageOS uses userdebug builds by default. This adds many debugging features as additional attack surface. It also weakens various SELinux polices and exposes root access via ADB, which, as previously discussed, is not a good idea.
          • LineageOS requires an unlocked bootloader, therefore disabling verified boot, which is essential to verify the integrity of the operating system.
          • It does not implement rollback protection. This allows an attacker to downgrade the system to an older version and then exploit already patched vulnerabilities. The default updater even allows you to downgrade versions yourself.
          • Most LineageOS builds also do not include firmware updates, which prevents users from getting new patches to fix vulnerabilities. Instead, it gives a pop-up advising users to flash updates manually that most people will simply ignore.

          This is a non-exhaustive list. There are more issues than just those listed above. LineageOS (and most other custom ROMs) are focused on customising the device and not privacy or security. Of course, you could build LineageOS yourself to fix many of these issues, but most users will not be capable of doing so.

        • xavier666@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          From a privacy standpoint, Lineage OS uses hard-coded Google IPs for some core functionalities (DNS, NTP, Webview). MentalOutlaw did a video on this and how it can be removed by rooting your phone.

        • Free Palestine 🇵🇸@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Why is my comment crap?

          Which of my points are not true?

          LineageOS has far worse security than both AOSP and GrapheneOS as outlined in the LineageOS section of this blog post: https://madaidans-insecurities.github.io/android.html#lineageos

          It also has worse privacy because it uses Google services for things like DNS and NTP by default, which can not be changed by the user. GrapheneOS replaces all Google services like DNS, NTP, connectivity check, and the Attestation key provisioning service through either their own service or their own proxy for the Google service. Most of these can also be entirely disabled by the user on GrapheneOS. It also offers proxies for SUPL and PSDS location services and allows the user to disable these.

          App compatibility is worse, as LineageOS uses microG whereas GrapheneOS uses Sandboxed Google Play services. microG is an insecure and poorly implemented version of Google Play services that sometimes has issues with basic Google SafetyNet checks. GrapheneOS just uses the standard Google Mobile Services bundle, but it’s not installed as a system app and has the same privileges as any other app. It can be installed and uninstalled by the user and all permissions can be revoked (including network and sensor access).