Why does it feel risky to use an alternative firmware?

Update [2017-03-07]: I just installed lineageOS and have to say that they have excellent documentation. Really, really awesome! Everyone I rely on (opengapps, twrp, lineageOS, fdroid) provides gpg keys, and signs releases and documentation on how to verify them. The last two things that are left are:

  • check that information about the key (such as the id) is never stored together with the signed build. An attacker could simply change the key and the builds and then resign the builds.
  • Be careful and check that the SHA256-sum of the key matches with the one you pulled from some keyserver.

Here is my original post, which might be still true for unofficial images or some apps, but I guess that will always be the case.

Intro

Currently all the files needed to root your phone have to be downloaded from somewhere (surprise!). With "somewhere" I mean: Some strange site you can maybe visit via https if you are lucky.

It is very hard to check if a download:

  • is really from the website of the developer
  • is really from the developer whom I trust
  • was not changed via a third party
  • was not corrupted while downloading

If there is no way to verify it, it is about luck. If it is about luck it will go haywire at some point

  • Example: You would need/want a custom recovery, f.e. twrp. Is there are checksum? A signature? No, I could not find one.

  • Example 2: Then you want to root your phone, by using SuperSU (remember, the app is only an update). Is there are checksum? A signature? No, don't think so.

Possibly you downloaded your adb-tools from somewhere (luckily there is a debian package for that). But not many people check that as well.

write it post it let it be pwnd!

  • Why is it the case that a lot of stuff on xda-developers is not signed?
  • Shouldn't a good release process generate checksums for the builds and sign them?
  • We have the tools to implement such a process! CI is everywere!
  • Why don't we (okay, I am not an active xda member) have not a trusted entity that hosts our stuff?
  • This could work like GitHub with a releases-feature but controlled by a democratic organization like the one that makes the debian project work.

After all mobile and CM and android is the future, there is a lot of $$$ to be made! Don't let the users get (so to speak) killed. In all seriousness: Some one might create a nice structure with some of the properties described above and could do crappy stuff like sourceforge did.

Let's do the good parts first, get them right, and the bad parts never.

  • Update: OpenGAPPS are f.e. much nicer than the CM wiki that I personally used before.
  • Update: take a look at CM for the Oneplus. They list the sha1! Nice! And twrp has md5-verification, so at least it's secure against corrupted downloads. Nice! (That does not solve the problem with f.e. SuperSu, though).