[NotPavlovsDog]

I have been reviewing security for unofficial builds, and it's pretty abysmal, same for GPL compliance by the ROM creators. Could you share how you reviewed security for the unofficial ROM?

I'm putting a list of actions to take, but so far it appears it will take days to review ROMS, alternatively download a rom, review what is in it and build from Lineage official source, with Lineage having the better privacy record ....

Some things I would need to check:

- The binary blobs at least match the originals, for example binaries from xiaomi

- Included applications that DO publish their source match the published source / binaries built from said source

- Permissions are sane/correct and don't have too many 777 where it is not needed, which is often set for convenience during development

- That developers are aware and transparent about any telemetry or spyware, which appears to receive a rather cavalier approach from many developers.

This is just one example of developer hostility and incompetence on the xiaomi eu rom community when asked about spyware: https://xiaomi.eu/community/threads/why-does-xiaomi-eu-rom-t...

There are many more to be found at the XDA forum, under custom roms.

There are also some older discussions on HN, xiaomi related, but it does bring up the larger point - how many of the applications and core functionality in custom roms is spyware ? https://news.ycombinator.com/item?id=26306661

[jeroenhd]

I've always been wary of custom Roms that didn't come from somewhat reliable sources like the Lineage team.

The response in that Xiaomi.eu thread has seriously damaged the trust I had in the xiaomi.eu ROM. I've heard good stories about the ROM but if the community, even including a developer respond, like that to an issue like that, I don't think I can trust the website anymore, so I've blacklisted it in my pihole.

I believe custom ROMs published by what comes down to "a guy in a forum thread" are nice for proof-of-concept stuff, but should be considered insecure. Many of these ROMs disable security measures like selinux because these measures make it harder to get Android running correctly on proprietary hardware, removing one of the best security mechanisms the Android sandbox has for the developer's convenience.

I'll never recommend anything other than established brands like Lineage, /e/ or one of the security-focused ROMs to anyone. I mistakenly thought xiaomi.eu was one of the good ones, but it clearly isn't.

Do you have any other sources on popular ROMs to avoid?

[NotPavlovsDog]

I'm glad that that xiaomi eu incident I shared has served as a warning for you and perhaps others, but saddened that it took place and perhaps represents the broad state of android custom ROM development.

I've avoided Android development as much as I could - it's a mess. Right now I am actively reviewing what my options are for some older hardware that I would hate to toss just because of no updates. So far I unfortunately don't have any other positive suggestions, outside of Lineage and the few software/app developers that have a serious approach to development, such as Magisk for root access.

What I have seen on XDA forums was not inspiring, unfortunately. I regret not being able to suggest anyone else, so I suppose it's the unsatisfactory general "do your own research and be extremely wary" recommendation/warning.

XDA forums even have a sticky post for developers about respecting the GPL, yet most custom ROM builders don't share code nor a build manifest nor a report of what different licensed code / binary is included in their build, thinking that linking to the original GPLd code, such as xiaomi's GNU/Linux kernel github page, is enough.

Is this a satisfactory approach to you? Let us leave out the whole "spirit of the thing" debate, Free Software etc -

knowing what code your application includes, crediting it, listing the different licenses and having a manifest of binary blobs is mandatory if not for the reason of keeping track and having a sane development workflow.

So, if the majority of the ROM developers don't do it, that is an avoid them sign to me.

[Flex247A]

I am just a normal user and wasn't aware that developers didn't review security properly ...