[why_at]

>On the other hand, being cryptographically locked-down is an optional feature. If you don't like it, buy a computer without that feature.

But that's the thing, where can I buy a phone without a locked-down operating system? GrapheneOS on a Google Pixel is basically the only option right now, and this still has problems thanks to hardware attestation in a lot of apps that the ecosystem forces us to use.

This is largely because Apple has dictated the direction of smartphones for the past two decades. All of our expectations for control over our phones are completely out of whack compared to other computers.

Somehow we managed to survive without the majority of society being scammed out of their life savings before Apple came in with the iPhone and locked down iOS, and yet now people are earnestly defending the notion that 90% of people should not even have access to the filesystem on their own device.

[frio]

> All of our expectations for control over our phones are completely out of whack compared to other computers.

I would, sadly, challenge this. If anything, our desktops and laptops are the exception now. Phones, TVs, game consoles, set top boxes, cars, Amazon echos, ebook readers, tablets, security cameras, autonomous devices like vacuum cleaners — when I think of the myriad devices we interact with that have a computer in them, they are all as stringently locked down as possible.

[zozbot234]

> hardware attestation in a lot of apps that the ecosystem forces us to use

Only a tiny amount of apps force you into hardware attestation, and these are mostly around banking, mobile payments and the like. So just use a separate, locked down device for those (where the anti-fraud protection of a locked-down system can be a benefit) and your more open day-to-day device for mostly everything else. A hidden advantage is that the dedicated device for secure uses is not something that you're forced to carry with you; you can leave it in a secure place instead.

[why_at]

>Only a tiny amount of apps force you into hardware attestation

Luckily this is still true, but I'm not confident that it will stay this way. For a few examples, I've been unable to use my phone as a metro card in my city because even though it goes through the metro's app, the app redirects back to google pay. Google's own Waymo app won't work without stock OS even though all it does is call robotaxis.

>these are mostly around banking, mobile payments and the like. So just use a separate, locked down device for those

I don't think this is a very reasonable suggestion, carrying around a second phone that I use at most a couple of times a day is inconvenient and expensive. Half of the point of these is convenience and this would defeat the purpose.

The broader point is that our standards for phones are so different from everything else. I also carry around a credit card which requires no authorization to use, not to mention cash. I can have just as much personal data on my laptop if not more, so why does it have to be this way just for phones?

[Zak]

Be sure to give apps that behave that way one-star reviews.

I just tested Waymo and my usual solution of Magisk Play Integrity Fix was insufficient, suggesting hardware-backed attestation. This is the kind of crap Microsoft was doing that inspired Google to put "don't be evil" in its mission statement. We all know how that went.

[JuniperMesos]

> Be sure to give apps that behave that way one-star reviews.

You have to have a google account to give a one-star review on the app store run by Google. You're still buying into their ecosystem.

[Zak]

If your goal is to boycott Google, you're probably not trying to use Waymo. My suggestion was only about punishing the use of remote attestation in the small way most of us can.

[JuniperMesos]

I was able to get Waymo to work on GrapheneOS, but it took some doing, and relies on the GrapheneOS developers hacking around the official Google Play services in some way. Waymo definitely made it more difficult than it needs to be to run this on something other than ordinary Android, and it's unclear if they did so in order to make themselves more money, or simply because doing things the official Google Android way is easier for them and they aren't even thinking about people who are trying to have a less-restricted smartphone OS.

[smallduck]

A smart phone's primary function is to initiate and receive phone calls, or arguably 1/3 of it's primary function if the metric is the Jobs iPhone launch presentation, however since "smart phone" and "iPhone" have "phone" in their names I'm going to argue its their primary function.

People have come to expect that phones nearly always work, and rely on them for critical communication with loved ones, services like emergency services. When these aren't dependable you don't have a phone but instead a toy.

The case made two decades ago is that running arbitrary software on a phone incurs a risk that malware can compromise the device and alter its dependability. _General purpose computers don't have this historical burden._ Phone and mobile OS makers sell their products with their purposeful limitations made fairly clear. You want a mobile device with different capabilities then seek out am alternate device, it's kinda obvious.

There's always communities of people who attempt to repurpose the products they own for purposes the weren't originally intended, and I would like to see that laws that make that hobby more legitimate and legal. I would love to see 3rd parties able to support these hobbyists, that would be great. But Apple, Google with their hardware partners have no obligation to do so, and justifiable positions for making repurposing non-trivial to do.

[bean469]

> carrying around a second phone that I use at most a couple of times a day is inconvenient

Guess it depends on the person. As somebody who carries around all sorts of shit all the time, a slim, extra phone is peanuts

[TeMPOraL]

> Only a tiny amount of apps force you into hardware attestation, and these are mostly around banking, mobile payments and the like.

I.e. the only ones that make the phone critical to daily lives of most poeple. Don't forget to add government applications, multimedia applications (DRM) and communications too.

And that's only going get worse, because every app seems to think they're most important. We're in the middle of the phase where every app tries to force strong MFA on users, despite most apps having no fucking business having this level of security. Banks are actually lagging behind toilet paper roll simulator apps nad stores selling hats for pets and such.

Wait when they're done that, leveraging attestation APIs will be next.

[Suppafly]

>Only a tiny amount of apps force you into hardware attestation

Or basically anything to do with work, even if it's just clocking in and out or 2-factor verifying for login purposes.

[xg15]

And what gives you the confidence that the amount of apos will stay tiny?

[scoofy]

>Somehow we managed to survive without the majority of society being scammed out of their life savings before Apple came in with the iPhone and locked down iOS

What on earth are you talking about? People have been getting scammed since the days of AOL! What an insane perspective. It's not about total money lost from scams. It's about the amount of impact it has on the individuals who get scammed. What's the problem with Russian roulette after all? Most people playing Russian Roulette are absolutely fine! The point is that the damage done to the few people who get scammed is so high, we ought to care about their lives too. At the end of the day, it might end up being us... it probably won't, but it might.

Yes, monopolistic network effects are a problem, but that can be handled with regulation.

[TeMPOraL]

We don't save few people suffering high damage from losing a round of Russian Roulette by restricting ability to roll D6, because of then harm a bad roll can do when in form of a barrel of a loaded revolver. Also "only criminals need random number generators".

Yes that's how we're treating end user computing.

[scoofy]

It is a question of who is "We" because all this seems to imply that the market owes "us" this product.

I would lose my mind and switch to Linux for good if Apple every tried to close their laptops. Why? Because unlike my mom, I'm sitting here writing programs for myself.

On my phone however, I don't want to have to do a bunch of research whenever I need to install something like a parking app. I don't want to have to install a random parking app, but when you need an app to park in the MUELLER - MCBEE garage in Austin, and when I'm visiting and am meeting people for tacos, life is going to force me to install that app. When that happens, I'm happy to be in the walled garden. In fact, I want a walled garden.

I'm happy to have two computers, one open and one closed. They're two different products. For folks who want an open phone, yea, it's basically GrapheneOS or nothing, because when the point of the phone is a completely different use case (random app installs) then the point becomes the ecosystem, and you need to always be able to trust the ecosystem.

When you are trying to tinker with your phone, it becomes a completely different product. The market doesn't owe you that product.