| I root my phone for a few reasons (in no particular order): * Reverse engineering, mostly to satisfy my own curiosity, but also to verify that the few third party apps I install don't do scummy things behind my back. I mostly use frida [1] for this and if I want to change the behavior of something permanently, I make a module for LSPosed [2]. * Get rid of Android's awful app links feature [3]. I despise Android >=12's behavior of always opening deep links in "official" apps (eg. Youtube) by default. To open those links in third party apps by default, the user has to go into Android's settings for the app and manually whitelist domains. This module forces Android to treat every domain as "unverified", which restores the old behavior of prompting the user which app to use when opening a link. * Call recording [4]. (Or playing audio into a phone call to rickroll friends... [5]) * Raw access to app data, mostly for extracting information from apps with no export functionality. That said, I don't like increasing the attack surface of my devices, so I do a few things to mitigate that a little bit. I wrote some scripts to sign the Android OTA update images, apply the Magisk boot image patches, and sign the images with a custom key [6]. This way, I can keep the benefits of Android's verified boot with a locked bootloader while rooted. I also don't allow any third party apps root access. My (hacky) local fork of Magisk only allows executing `su` if the app is signed by my own key or with a password if executing via `adb`. My LSPosed build only allows modules signed by my own key as well. [1] https://frida.re/ [2] https://github.com/LSPosed/LSPosed [3] https://github.com/Henry-ZHR/KillDomainVerification [4] https://github.com/chenxiaolong/BCR [5] https://github.com/chenxiaolong/BCP [6] https://github.com/chenxiaolong/avbroot |