Continuing with the discussion on Android modding.

If you unlock the bootloader of an Android device, you *actually can* run almost whatever software you want! (Except proprietary/trusted components such as the bootloader, TEE, radio, firmware etc.) You can replace the kernel. You can compile your own Android OS. On Pixels, you can even sign the images and have verified boot enforced. You can install F-Droid and only run FOSS apps. You actually DO have the freedom to run almost all software with something you can control.

There are still people upset about me sunsetting MagiskHide. I'll address everything in one place, one last time:

• I genuinely do not enjoy doing any development on hiding anymore, because there is a very obvious solution to it, and there is no practical way to defeat it • The solution mentioned in the previous point is HW key attestation, and it has been slowly adopted in various detection methods, notably SafetyNet

• Ever since HW KA started to be used more widely, any real development on MagiskHide had basically already been halted

In response to this whole rant:

Every design has its advantages and drawbacks. If you want to see the exact counter example of all this A/B + Dynamic partitions on Android, just look at iPhones.

https://twitter.com/arter97/status/1444967124431032320

The whole point of A/B partitions (or, seamless updates) is to "trick" people into system updates. Before the user even notices, the update is already done, and it just needs a quick reboot.

On iOS system updates take a while, and a lot of my friends just... never updates 🤷‍♂️

This research is an interesting read. One question though: why are they testing stuffs on a LG Nexus 5 running Android 6.0.1 in 2021? ART has changed drastically and it affects app installation size a lot…
dl.acm.org/doi/pdf/10.114… App bundles are now enforced on Play Store, so unsupported native libs and resources are no longer downloaded and stored in user’s storage. Modern ART no longer precompile the whole DEX file into machine code AOT; instead it is now using JIT + PGO based AOT hybrid approach.

Disclaimer: I'm not saying you're wrong or trying to put you under attack, quoting your tweet so I can explain to my followers with context.

The reason why I have ditched custom recovery is because it is an external dependency that I cannot control.

https://twitter.com/albertojz21/status/1408325786747166720

On modern Android, precise device status detection is crucial for configuring an installation. I've seen too many bug reports caused by inability to accurately detect device information in custom recovery environments.

Remember when I said using SELinux permissive is really bad? Here is a privilege escalation PoC where the only requirement is SELinux permissive. If you are still releasing custom ROMs/kernels with permissive, YOU ARE LITERALLY BACKDOORING YOUR USERS!
github.com/vvb2060/Magica In this PoC, when you press install, it will gain (restricted yet still powerful) root access in a service and install Magisk to your boot image. This demo shows that any ARBITRARY app, including malware, can PERMANENTLY root your device without your consent and permission.

Watching LPC 2020, Android 12 is going to ship with GKIs (Generic Kernel Image), making interesting implications for Android security. Just like iOS, security researchers can focus on a single kernel across all Android devices. This makes exploit based root much more practical. This could be the next step forward for the Android rooting ecosystem as no bootloader unlock would be required. This basically makes all the recent SafetyNet changes useless, and since we comprise the kernel, no easy detection can work when we root with vulnerabilities.

I'd like to address the increasingly complaints of "Magisk is too bloated" argument.

Right off the bat: Magisk is first a systemless module framework, and then a root solution. Root is trivial with the foundation of the systemless infrastructure Magisk has created. With the increasingly complexity of modern Android, unless you build a custom ROM changing the code, you HAVE to rely on all the "bloat" to achieve root, period. People might not realize how difficult things have become, and unfairly compare Magisk to "the good old root software"

FAQ regarding new SafetyNet changes:

Q1: SafetyNet is passing fine on my device
A1: It seems this new measure is not fully enforced, most likely to prevent false negatives. If your device is old, or somehow key attestation fails in keymaster HAL, SN will simply ignore it Q2: <insert name> Xposed/Riru module allows me to pass SafetyNet
A2: The SN test in Magisk Manager is technically *not* a proper attestation. Proper SafetyNet checks will verify results on a remote server, not on device which can be manipulated by code injection frameworks

So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!) From what we've seen so far, key attestation doesn't seem to be fully enforced yet, as devices with incompatible, potentially buggy(?) keymaster implementations (e.g. some OnePlus devices) that result in attest key cmd failures still pass SafetyNet regardless.

Addressing some valid criticism people had on Magisk: there never seems to be a universally "stable" release.

Unfortunately, there are so many moving parts in Magisk that even if unit tests exists, it still cannot cover the full functionality of it. For projects like Linux, they branch the source code each release. The community test/report bugs for a specific branch, and bug fixes will be pushed to each release branch.

Linux maintainers will pick a release as "Long-Term Support", and that specific kernel version will...

Just flashed Android 11 on my Pixel 4 XL, there's a new partition named system_ext, which I think is part of early boot partitions. Would need to update MagiskInit for that... Great, device won't boot. If partial source code is out, will check that, otherwise time for some very "fun" trial and error since pre-init is basically impossible to properly debug 😂

There are a lot of confusion regarding system-as-root (SAR) in general. SAR is introduced in Android 7.1 with Pixel 1st gen, mostly for A/B partitioning, but also for Project Treble. Let's call this "legacy SAR", or "LSAR" and see how it works. The kernel will decide which root directory to use based on the cmdline sent from the bootloader. When booting into system, the kernel will mount system as "/" (hence system-as-root). When booting into recovery, it will boot with initramfs (ramdisk, included with the boot image).

I found out that Android 10's system images are formatted with EXT4_FEATURE_RO_COMPAT_SHARED_BLOCKS. It will deduplicate blocks in the filesystem to reduce the image size. On my Pixel XL, the partition is physically not large enough to successfully run 'e2fsck -E unshare_blocks'.

https://twitter.com/topjohnwu/status/1169720663201988611

As clearly stated in the name of the feature, that EXT4 shared blocks feature is RO (read-only). The inability to disable this feature due to lack of free space in the partition (at least on my Pixel XL) makes it literally impossible to ever mount the system partition as rw.

Android Q is indeed another huge shift regarding Android's direction. One example here is scoped storage. What we Android users always enjoys: direct file management, is no longer taken for granted. All apps will be restricted like iOS apps with their own isolated storage space. The platform does include Storage Access Framework to act as a "proxy" for apps manage files outside of the sandbox. But basically apps are no longer allowed to directly control the files: all operations are delegated to the service the system provides.