[kogepathic]

> I'm in the market for a new Android phone.

Find a phone which has a large community around it, and lots of custom ROMs available. An official Cyanogenmod release is a good sign. It's also a sign that your phone will have a longer usable life than whatever the manufacturer promises you now.

Custom ROMs have a long history of extending the life of phones. For example the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough to make the point. Phones with good community support receive current versions of Android long after both Google and the manufacturer have stopped giving a shit.

To the people who say "you can't trust a random stranger on the internet making a custom ROM to be any more secure than the manufacturer ROM" you're right. If someone wanted to make a custom ROM with malware in it, there's a pretty good chance it may not be noticed.

If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want.

I recommend to all my friends and family to buy phones with good community support just to receive updates to ROMs like Cyanogen. The first thing I do when they say they're considering "Phone XYZ" is to look on XDA Developers[0] to gauge the level of community around the model. If it looks dead (e.g. look up any tablet based on the NVidia Tegra for what not to buy [1]) then I recommend they keep looking.

I've had really good luck with Chinese phones which are also sold in markets like South East Asia and India. There are millions of users of these phones, so the custom ROM community is quite strong. The hardware is also quite cheap, I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping, and it runs Android 7 thanks to community developers [2].

[0] http://forum.xda-developers.com

[1] http://forum.xda-developers.com/mi-pad

[2] http://forum.xda-developers.com/redmi-2

[kbart]

"If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want."

I wouldn't count on that either.. It depends on how "interesting" you are for them, given their reach, I would be really surprised if some of these agencies doesn't have zero-days and/or backdoors stockpiled for high value targets.

[captainmuon]

Heck, or they even have cooperation from Apple. Apple claims they dont have a backdoor, and the FBI moans that they can't hack current iPhones.

But honestly, who can ensure to me that there is no national security letter (or other mechanism I don't know about) forcing Apple to cooperate, with a gag order forcing them to keep silent?

Who can ensure me that the NSA et al have are not bribing, blackmailing, or using court orders on the three or four vocal security experts I can name (like Bruce Schneier, tptacek, Moxie Marlinspike, ...). Everything they say on this topic might be manipulated, who knows.

There could be backdoors everywhere, in apps, hardware, routers, lamps, whatever. Occam's razor suggests that this is crazy, but then people found spam sending wifi chips in clothes irons, so I guess nothing is too far fetched.

If you suspect "they" might be out to get you, the only thing you can really do is to stay under the radar, and hope they don't notice you and target you individually.

[matt4077]

If we turn completely cynical and tell everyone that all manufacturers are equal, we take away all incentives for them to actually try to protect their users' privacy.

Apple deserves some recognition for their attempts. At some point they were fighting several lawsuits seeking to protect their users, and were under massive attack by some politicians because one of the cases was a terrorist. That's quite risky – with the current political climate, being associated with one of the parties has the potential to cut your revenue in half.

The FBI may have ultimately gotten the data after buying a zero-day exploit, which is unfortunate. But Apple seemed to be winning in court at that time and the gov may have been quite happy to find a way to drop the lawsuits without losing face.

Apple also uses https://en.wikipedia.org/wiki/Warrant_canary, which may or may not be useful.

[pdimitar]

I keep wondering the same. And I keep thinking that by the time I became privacy conscious, I am already like 20-30 years late...

What can we do?

[adrianN]

If your threat model includes a three letter agency, then don't use a phone.

[nibs]

I spent a day battling with getting a custom ROM on my Redmi 3 and gave up. In case anyone reads this: Xioami make amazing phones for the price. This $120 USD phone outperforms my S3. But getting a custom ROM on a Xioami is getting increasingly difficult - you have to ask for permission, jump through hoops to unlock the phone and sometimes it just does not work. Xioami is the Apple of China - great UI but increasingly closed ecosystem. Their OS is called MIUI, which is basically Android with more customization options (necessary for the markets they serve). It is a great phone and OS, but it is more complex than just flashing CyanogenMod (unfortunately).

[h4waii]

This does not blanket apply to all Xiaomi devices. There are official builds of CM available for the Mi3, Mi4, Redmi Note 3, and a fully open source unofficial build for the Mi4C and Mi4S.

Unlocking their bootloader can be done officially through a request, or unofficially. Changing the recovery by replacing a single file in the EDL and retaining bootloader lock is also possible.

[tdkl]

It took me couple hours to get an unlock granted, then the unlock was done in couple minutes - it does require to read the instructions though.

After the unlock:

fastboot flash recovery twrp.img

fastboot boot twrp.img

<Couple swipes to Install the previously downloaded .zip>

Same as Nexus.

[andy_ppp]

Sounds great! Does Android 7 run smoothly and stable-y on this device?

[Grazester]

Custom roms never run stable from my experience and that is why I have stuck with Google Nexus devices in the past.

Maybe if the phone is past its supported update lifespan then I would consider custom roms, otherwise I don't want to have to deal with these frustrations on a brand new device.

[andwur]

YMMV obviously but having used CyanogenMod for the past few years on various devices I've found it to generally exceed the stability of vendor-provided Android. Not to mention the better user experience and more rapid security patching.

[tunap]

"Custom roms never run stable from my experience and that is why I have stuck with Google Nexus devices in the past."

Coincidentally enough, the custom ROMs for the N4 and N5 are ubiquitous & surprisingly stable. My N4 running CM 10.1.3 has yet to crash or freeze w/out my fiddling with Privacy Guard(been fiddling with it for 2 years, became daily phone only recently). The Sailfish OS ROM has come a long way and is still actively updated. Sure they're dated & SFOS is somewhat limited(and trust isn't quite on par w/ Maemo) but what else is there? Yeah, Neo900 was an admirable reboot attempt, but roadblocks have put them even further behind the curve.

[_puk]

Funny that, my experience is quite the opposite.

Nexus 6P (Marshmallow); any time I lost phone signal the messaging app would get itself stuck in a tight loop until it had to be force stopped. You'd think they would have tested that on a brand new device..

Cyanogen Mod has been great in the past, as you say, to extend the life of old phones. Quite stable too.

[cmdrfred]

I have a custom ROM on my oneplus 2, it's smooth like butter.

[anonu]

That's interesting - which ROM are you using?

[cmdrfred]

Latest cyanogenmod 13 with google play minimal installed.

[kogepathic]

Not quite yet. There are still some issues to be worked out. [0]

It runs Android 6 (CM13) great, just in my opinion Nougat isn't polished enough for daily use.

[0] http://forum.xda-developers.com/redmi-2/development/rom-cyan...