Rooting your Android phone? Google’s rumbled you again Google's crackdown on rooted Android devices continues. Citing security reasons, Google doesn’t want rooted 'Droid phones to use mobile payments via the Android Pay infrastructure. This is a standard not required by Pay’s predecessor, the now-deprecated Google Wallet. In turn, this has led to a cat-and-mouse game with Android …
Exactly.
But try explaining it to the average user. I usually resort to an analogy something like "you've bought a house but soon find out that someone else has the keys to "your" property. Also, they can unlock doors in the house to which you don't have the key."
But that's outrageous, they protest...
>>"Indeed. But they didn't buy, they took out a lifetime lease."
No, they bought it. The phone is theirs. You're trying to alter the analogy so that it shows Google's behaviour is okay. But it's just an analogy and it's being used in the way that analogies should - to communicate something complex in simple terms and it has succeeded for the OP. Here's an alternative one of my own which is perhaps a bit more accurate as it preserves the fact that this is about the Playstore...
Suppose a petrol company started manufacturing their own car. Many people bought the cars and owned them, but you could only get petrol from that one company. Some people altered the cars so it could use any petrol they liked. The petrol company didn't like this and would refuse to sell petrol to such cars whenever they could identify them. As the petrol company was the biggest petrol company and owned most of the petrol stations, they figured they could get away with this even though people had paid money for their cars and owned them.
The petrol company actually make money from advertising. The cars are phones that they can gather information on from people to get more money from advertisers. And they don't want people altering the cars because it lets the owner shop elsewhere.
I think the comparison is apt, but not in the way you intended.
Not for rooms, but there *are* locked implements in your own home for which you do not have the key.
Typically, they are the utilities: your connection to the gas, water, electricity, phone, is a locked box, or at best, a locked meter, which is not your property, and you are not allowed to open or tamper with them.
So Google would be on a stronger footing than it appears if you consider that payment is indeed an utility.
Since I rather agree with you on the whole, I'd love to have a better metaphor :)
If you modify the gas and electrical installations in your home don't be surprised if the utilities decline to offer you continued service. You can do what you want to things you own, but you can't do that and expect other organisations to support you in it.
Similarly you can do anything you like to a car you own, but you might lose the ability to use it on a public road afterwards. The important thing is that it's entirely your choice.
"If you modify the gas and electrical installations in your home don't be surprised if the utilities decline to offer you continued service. You can do what you want to things you own, but you can't do that and expect other organisations to support you in it."
So I guess it's perfectly fine if my bank won't let me do internet purchases from home unless I install THEIR OS on my PC and promise to never ask for the admin credentials...? What sort of fucked up world are we live in again, sorry?
> Also, they can unlock doors in the house to which you don't have the key
And come in when they feel like it, repaint the walls, move the furniture around and change the favourite channels on your TV...
... and if you don't like it, they say "fine, you can always move out..."
"But try explaining it to the average user"
Quite rightly the average user doesn't give a toss about that because they just want to make calls, plays some games, surf the internet. They really don't give a stuff about the things that excise people like you.
Soz but that's the truth I'm sure you'll get over it.
>>"Quite rightly the average user doesn't give a toss about that because they just want to make calls, plays some games, surf the internet. They really don't give a stuff about the things that excise people like you."
They don't care about it the same way I don't care about the details of EU clean water laws, or whether NICE guidelines allow the latest FDA rubber-stamped drug from the US or some local counsellor choosing which company will get the road maintenance contracts for filling the potholes in my street. I.e. I do care about it, I'm just relying on professionals in the field to look out for me when it comes to things I don't understand or wouldn't be aware of until it's too late.
Whether I control a device I own or whether another company can decide who I am and am not allowed to buy from is a battle with some serious long-term implications. Whether the average person knows about this or not, they care - just at a different point in time than the one people at the forefront of it do.
but prefer the "landlord" analogy.
Yes, it's your phone. You have rights - but...the landlord can always get access and you're not allowed to paint all the rooms black, whilst smoking crack.
Now you probably don't have the narcotic/decorating urge - up until somebody tells you you can't. Then you get pissed off.
On the flip side you could root your phone/buy your house and do whatever the hell you damn well please - but you've forfeited the right to demand somebody else fixes the heating when it packs up/install google's new pay app.
Defending the poor google underdo seems a bit strange, but I can't help feel that they'd like as many people as possible to use their app, and if they block people from doing so, they've probably got a carefully cost-analyzed reason.
Don't like it? Don't root, or write your own pay app.
>>"Yes, it's your phone. You have rights - but...the landlord can always get access and you're not allowed to paint all the rooms black, whilst smoking crack."
Smoking crack is a weird analogy for being able to install software of your choice on a phone you own. I call that analogy bogus. It's clearly prejudicial. All analogies are inaccurate to a degree by definition, but there's a difference between that and clearly trying to build one that changes the whole argument.
Disclaimer: I have an analogy of my own posted here, but unlike yours, the one of a petrol station chain that sells cars locked to only use their stations is a pretty accurate one.
...and move us to electronic money, so we will be completely at their mercy.
If you catch a light on someone's console, they can just turn off your access to your virtual cash in your virtual account and you're screwed, you can't even live.
Not to mention that you can be tracked by anything you ever buy once physical money is gone.
Don't let this happen by laziness or putting convenience over your future freedom.
There's nothing like being able to stash some cash, that is nobody's business where you spend it, when you spend it and on what.
Sorry, it *is* your phone, but it *is not* your Google Pay.
Any app can reject working on your phone if routed, that is up to the app dev to decide. For example, my cable company has an app that allows subscribers to watch TV on it, but only if not rooted.
My cable company of course fears that on a rooted system you might install something to record the video stream.
And Google Pay deems the security risk due to malware on a rooted phone too high.
I have yet to try the app of my bank on a rooted device, I suspect it will also refuse
"And Google Pay deems the security risk due to malware on a rooted phone too high."
Which is rather ironic considering the amount of malware that can be downloaded through Google's own app store. If anything, people with good enough technical knowledge to have even heard of rooting phones, let alone actually be able to do it themselves, are rather less likely to be the ones downloading malware.
This post has been deleted by its author
More to the point, who writes malware that will only work on a previously rooted device?
So you're only going to try to pwn the devices of tech-savvy types who are waaaaaaayyyyyyy more likely to notice something's up and remove your shit.........right...........very clever, I'm sure.
The trouble with that is if Google Pay refuses to work, then Google Play (with an L) refuses to work *even for free apps*.
And you can't uninstall Google Play Services without it taking all your downloaded apps with it. It uninstalls them when you turn it off in the settings.
This is the linkage game no different than when Microsoft did it.
Google Play Services is one of the most virulent spyware apps ever. Tracking, surveillance, access to cameras, microphones the lot. It has no purpose doing that, yet it does it for Google's benefit.
You probably don't know its tracking your location, and monitoring your app usage and all the other things "Carrier IQ" was doing. Sadly it is.
"And you can't uninstall Google Play Services without it taking all your downloaded apps with it. It uninstalls them when you turn it off in the settings."
I have a rooted Nook Tablet, plus an old HTC Evo 4G, and on both devices this is 100% not true - I can, and have, removed Google Play Services and all installed apps worked as expected except the Pay Store.
And I have a non-rooted Galaxy Prime (and several others), turning off Google Play Services requires it revert to the factory version, which it promptly uninstalls all of the apps.
So you're saying to stop Google Play Services, I need to root my device? Then run some other app to disable Google Play Services?
I tried rooting a Asus tablet to install Cyanogenmod, only to find it wouldn't root. Even if you're claiming a successul root can remove Google Play and still leave downloaded apps, how do I fix the root!
But also *why* should I have to!
"this is 100% not true"
This is 100% true.
100% not true - my HTC Evo 4G is not rooted. Apologies for the confusion.
I often uninstalled Google Play Services on the Evo, as it lowered battery life as well as being a form of spyware. Doing so did not effect apps in any way. It is possible that things have changed since Gingerbread, of course.
Here's a tip for rooting your Asus,
If it's anything like the Acer A700 then putting Cyanogenmod on it is an interesting journey of discovery.
For the A700 if you updated the firmware to root it you have to get all the original firmwares (from xda-developers and elsewhere on the net, I finished up with about 15 roms) and apply them in the correct order (starting with the French version of all things) till you get to the version that can be rooted.
You have to be a right tenacious bastard to keep at it but I'm the sort of person that hates to be beaten by computers and will happily spend many hours bashing away till I get something to work.
> And Google Pay deems the security risk due to malware on a rooted phone too high.
1.) Wouldn't this be the opposite? I would think the modding community would be the least likely of all to have this issue. I'm sure they patch issues faster than the slow OTA updates.
2.) What threat would this pose to the ecosystem at large? If this is a 'protecting the user from the user' exercise, than leave that bullshit to Apple please.
The interesting question is: whom are they protecting? Me? Well, in the case of the cable company I have no doubts...
I've had no problem with any "real" banking apps yet. HBO Now failed on a rooted Nexus 4 until I used a "hide root" utility (does it mv su? I don't know), but works OK on my 1+1 running CM12.1. Good thing for them because if it didn't work I simply would have canceled the service.
When I discovered that Google Pay doesn't work on the rooted phone, then well, no Google Pay. No problem.
"Citing security reasons, Google doesn’t want rooted 'Droid phones to use mobile payments via the Android Pay infrastructure."
If security was a concern, surely Google wouldn't be letting any Android based phones process payments. Android is by far the most insecure mobile OS. I suspect this has more to do with revenue loss...
I find this note strange ... just check your purchased/own home. Your smart meter has a seal, your gas meter too. Most of your devices in your home have some sort of warranty protection (for a bloody good reason), routers/wifi/adsl/cable devices all have protections. No one complains when governments say "don't fiddle with your power cables" or "don't fiddle with your gas pipes" - just check out the Internet for "DYI jobs gone wrong" and you will understand. I am sure there are people that root their phones correctly without some security flaws ... but are those people in the majority? You can always root your phone AND take your credit card.
Is this a threat or a feature?
A feature. But in all honesty, other than a few devs, the majority of people rooting phones do so (I suggest) to escape the clutches of Google. The idea of rooting, installing Cyanogenmod, and then choosing Google as a payments service seems to be totally implausible, so the whole basis of the article seems to be mild outrage at a "problem" that affects nobody.
Still, we read it, and those of us not blocking ads paid our dues for the Reg......
The idea of rooting, installing Cyanogenmod, and then choosing Google as a payments service seems to be totally implausible
Not to me. I root because I want to dump the crapware installed on my phones and to get security fixes faster and for longer.
As for the service provider: I'll use whoever I think offers the best service in a free market.
Using my phone as a cash wallet and for banking ?
I'll leave that to the brave amongst us, and by the way, when your phone is buggered, nicked, hacked, out of charge etc I'll happily lend you a £20 note at Wonga rates.
The more they overthink the plumbing, the easier it is to stop up the drain.
"Using my phone as a cash wallet and for banking ?
I'll leave that to the brave amongst us who, after complaining loudly about governmental bureaucrats seeing out their private data and acquiring it by subterfuge via sneaky, sleazy underhanded laws written behind the public's back, are willing to openly GIVE it to just about anyone if said handout comes attached to free, shiny baubles by a person who works for private enterprise."
FIFY
Your manufacturer no longer sends out patches for your device. You have two options..
* Continue using your device for financial stuff and have the whole thing compromised exposing all that data to the bad guys.
* Have a secure device but lose the ability to do financial stuff with it.
Bloody typical.
it's not just Google that has this idiotic mindset, banks do that too with their mobile banking apps.
Except that of course your second point is not really the truth... I know plenty of people who root their phone for other reasons (not quite legal ones) and since they basically just follow some descriptions on some forum to do so, throw the security out of the window.
It may be better if the apps would pop up a warning saying that if you continue you accept all liability if something goes wrong that turns out to be caused by your phone
> since they basically just follow some descriptions on some forum to do so, throw the security out of the window.
You completed missed the point.
But yes, following steps on a forum is equally as big of a security issue as heartbleed or stagefright, I guess.
"* Continue using your device for financial stuff and have the whole thing compromised exposing all that data to the bad guys.
* Have a secure device but lose the ability to do financial stuff with it."
While I agree with your sentiment I must point out that some custom ROMs, like CyanogenMod, actually don't execute as rooted by default. In the latter case you have to enable root using a developer option, so you can still get the benefit of the quick updates without root.
"While I agree with your sentiment I must point out that some custom ROMs, like CyanogenMod, actually don't execute as rooted by default."
Lucky you. I installed CM11 (or maybe 12) on my Galaxy S3 when Samsung stopped issuing updates.
There seemed nothing that I could do to make the Barclays mobile app to not claim my phone was rooted. I know that there were a few settings to try and prevent the detection of the 'root', but none of it did the trick.
The article fails to explain it, but there's a technical reason: they used to require a physical secure element in the phone. Now they don't, it's purely software stuff. That allows them to tap into a wider phone market and lessen any dependency to phone manufacturers. But accordingly, that made them worried hacking the thing has become easier.
http://www.nfcworld.com/2014/03/17/328326/google-wallet-ends-support-physical-secure-elements/
Do you really need to have your device rooted/jailbroken? If so, you will lose some functionality/features. My cable company also provides a mobile app for watching live tv on my Android phone. My phone is rooted so it refuses to run as do numerous android apps. I don't watch anything on a small screen except the occasional youtube clip. I choose a rooted phone over features I will never use. I don't do any financial transactions on my phone.
If you need to have your entire life on your phone, rooting is not for you.
I really don't see a problem here. Removing access to apps that process financial transactions on rooted phones seems perfectly reasonable as a security measure to me.
Sure for those "enthusiasts" who insist on having their devices rooted it might be an inconvenience, but surely restricting this potential attack vector for financial fraud is slightly more important? Even if you yourself are not going to abuse root access to do anything untoward with financial apps, that doesn't mean someone else isn't and that as a result they may end up compromising the security of others.
Not to mention, despite having been a user of rooted Android devices and custom roms in the past. I feel an ever decreasing need for either of those things with modern phones. Back in the days when a single core ~800Mhz was not uncommon in a phone, then yes I felt the need to root so that I could overclock and otherwise optimize the device to make it usable.
But these days with 4 cores being pretty much the minimum in any mid level, or higher, device I see very little need (other than fairly weak ideological "I want full control of my device that I paid for" arguments) for rooting.
Not allowing you to use a particular app on your device after you've performed an unsupported modification of the OS doesn't really seem like a discriminatory act to me anyway. It is comparable to the idea of expecting Microsoft to support the installation of Office on a Surface tablet after you disable secure boot and install some flavour of Linux.
Fundamentally, yes it is your device and you can do what you like with it. Just don't expect things to allowed or supported on it if you do something unsupported to modify it.
If the problem is that the app can be too easily subverted once you have control of your device, then perhaps they should not have dedicated apps (which IMHO gather too much personal info anyway) and stick to using their websites.
P.S. My devices are not rooted and I refuse to use the app of my financial institution as it wants too much access.
"open yourself to hacking or starve yourself of practically your entire clientele."
Are you trying to say the pratically everyone who has an Android phone and/or uses Android Pay has a rooted device? I admit that a great many people have rooted Android devices, but as a percentage of total Android and/or Android Pay users I think the number that are rooted is relatively small.
Yes, there's less ongoing need to have root BUT you still need to yank out all the crapware shipped with devices. Luckily unrooting is easy, so root, do the 1 off fixes, unroot, carry on as normal.
Personally I value having regular scheduled backups more than payment apps I never intend to use, too many app updates break them and reverting isn't an unrooted option.
To be honest I've had a few smartphones in recently to setup and most of them have been pretty easy to clean up unrooted. Samsungs are a bit of a pain but with my LG G4 I was able to uninstall 90% of the LG stuff and disable the rest. Slap on a new launcher and icon pack to taste and away you go.
Not difficult.
I'm looking to root my 'phone, not because of the other stuff, but because it is VERY insecure.
I have a Samsung S3 and, as many of you know, Samsung suck big time at providing updates. So I am forced to switch to CM, and that involves rooting the 'phone. (No, I'm not buying another 'phone because buying hardware to upgrade the software is a shitty way to go.)
I accept that there is an increased attack profile for my banking app, but is it more than I am already exposed to? Shouldn't it be my call to decide which path is the less vulnerable? I would be happy if my bank app said something like "your 'phone is rooted - do you accept responsibility for the security of this device?"*, but just cutting me off from what is a very useful app is simply unacceptable.
* It's not as if they pointed out the vulnerabilities in the first place.
"So I am forced to switch to CM, and that involves rooting the 'phone."
Installing a custom ROM on Samsung devices doesn't necessarily require root. Odin lets you flash custom ROMs on most Samsung Galaxy devices without root (although it does have here there be dragons warnings when you attempt it). Even if root were required to gain access to flash a custom ROM, there's no reason the ROM you flash should have root.
I've rooted and installed cyanogenmod on a S3(work) and S4(personal), root within cm is something you have to enable so I'm not sure how banking apps would interpret that, Barclays does not like root though not tried it with cm, Tesco is fine with root as long as you don't certain apps installed e.g. wifinspect.
The great thing about cm is you get to choose what google apps you install, I recommend pico (http://opengapps.org/) and if you need anything else install the individual apps.
One tip I can give you that caught me out is "google play services" as your battery will drain at a ridiculous rate till you go into privacy in the setting and stop it from waking up etc... oh and those privacy settings are great for stopping every tom dick and harry from reading your contacts/location/media/camera/microphone.
You'll be glad once you do it because you'll actually start to think your phone is a little more yours.
CM works great on my GS3; I would HIGHLY recommend not installing anything Google, as the battery life is more than double for me without Google services. I simply backup any apps I want to keep with apk extractor and manually install them once it's setup. I don't do anything that is sensitive on my mobile devices though, so I can't speak to banking apps. In order to update apps you'd have to manually sideload them, which I'm fine with because I don't use many apps.
I stopped bothering rooting my phones a couple of years ago. Never looked back. Rooting just gives you less and less as time goes on.
The phone software and hardware is pretty sorted now and all rooting seems to give you is a whole new set of headaches and the feeling of constantly nursing your phone.
It's just a phone dammit. You'll but another in 12-18 months time probably. Suck it up and just use it as intended. Life is too short.
1. You do some homework and find the right phone for you for the £300+. A lot (not all) of people that root are the type that do not dwell too long with a particular phone. Nature of the beast. me? I stick with a phone for 3+ years.
2. The problem at hand is rooted phones not being able to use the pay network. The thing is, have the folks who religiously root, actually stopped to think recently that the practice they have been doing the past 5 years is still worth it? For quite a few...probably not worth it now.
1. £300+ BWAAHAHAHAHAHAHAHAHAHA. Yeah right! Ill let the kids know they better not exercise for the next month. £50 would be a stretch atm.
2. My point exactly, why are you even mentioning using a new phone, people do not root their phone just because their contract is up !!! They root because it allows them to achieve whatever the goal they want to reach, getting a new phone is not achievable from rooting your old one.
@Jason 7, I'm on about the fact you seem to think that people have £300+ quid to spend on a mobile phone every few years. Nope not going to happen, and its not by choice.
P.s. apologies for my aggressive tone the other day, I currently have a flu and I am not phrasing myself in the correct manner.
@dave 126, Cheers for the heads up, Its the Xperia Z original haven't had a case for it yet but I'm pretty careful with my devices (so far) hoping its going to last another 2 - 3 years minimum.
>They root because it allows them to achieve whatever the goal they want to reach,
I believe Jason's point is that as Android and its hardware matures, there are *some* things that once required rooting that now don't.
It is perfectly plausible that an individual might their phone for a specific purpose. If that 'missing feature' is then added to a newer version of Android, then this user has less motive to root.
That's fine, YMMV.
My phone seemed to work pretty darned well out of the box, as a phone, as a Walkman, as a spare camera - whatever. So I don't faff around with it. But hey, I can understand if not everybody's new phone works as it should for them, either because of dodgy vendor software, or their own individual needs.
So no advice from me... Except for Known Hero: don't buy the official Sony case for your Xperia, it doesn't protect one edge of your screen, and the repair bill isn't cheap :)
Well, as soon as they'll let me perform a complete (nandroid) backup from stock, just in case there's a severe corruption (have had this happen after a few Sleeps of Death), and perhaps a user-configurable firewall, and the ability to update Android without carrier intervention, then I'll hand no more need for root.
Sounds like you need a phone running Xiaomi's MIUI.
You can download and install just about any ROM version.
You can back up everything to the MI Cloud or your PC
You can update via the phone itself, or buy using the MI suite on your PC to contact the MI update server directly - sod waiting for the phone carrier to offer it.
MIUI is installed as standard on a wide range of Chinese sourced phones now, and can also be installed on some branded phones from Sony, LG etc.
Just make sure you get the "Global" version if you dont read Chinese.
"update android without carrier intervention"
yes, i agree that's most of why i root. However I don't think you'll see any solution to that ever really, Google already tried several times and Android is too big and varied to get control back over without a major sea change at this point I feel.
For the most part I agree, but being able to drill in and kill all the damn wake locks that android has massively improves battery life in my experience. The other way is just not using Google services, which more than doubles the standby time on my GS3, ymmv.
I'm one of those user's that buys a phone with intention of rooting it from day one.
I've been stung in the past by manufacturer's (HTC) who dropped support for their devices leaving certain standard features broken because of their own crappy software. IE the HTC one X+ a 64gb quad core tegra 3 phone with HTC's own software had a bugged bluetooth stack (AOSP worked fine). The device is perfectly service able and fine but because of flawed software has issues and security flaws that were unpatched. Rooting allowed me to have the device work correctly on patched roms.
I now have the Nexus 6 but my old HTC still works perfectly for a family member and its rooted.
I certainly feel no need to use my phone to pay for things, I will just use my card for that. But I certainly will not stop rooting, the device I can't root is one I will buy.
As well as they should. But even the Warranty won't last forever. And by the time it lapses your most likely these days to be at least three major revisions back, as the OEM, would prefer you kindly buy their new Device that does the exact same thing, but unlioe your current Device with 4.4.2. Kitkat, the newer version.... Might, just might come with Marshmallow 6.0.x. if your lucky!
If you want a carrier-agnostic crapware free phone, you could do a *lot* worse than a Wilefox Swift/Storm
I have vowed to *never* buy a network locked phone again, after needing an emergency handset for my son, and discovering *none* of the 14 working old handsets I had would work with his giffgaff SIM. Not even the O2 ones.
I have a Swift and I absolutely love it. No bloatware. Enough resources to run Galaxy On Fire 2, which is the most graphic and processor intensive app I have.
CyanogenOS comes with enough customisation built in so that I don't really need to root. PrivacyGuard is superb - it covers ALL apps including Google.
Wileyfox is horrendous - DO NOT BUY ! Worst product I've ever bought. No instructions, so trial and error is the only way to stumble across what it does. It seems to come with 127 apps, most of which want to phone home at my expense, snoop on my contacts etc. It won't receive even texts, and it locks up my car radio if I make a phone call so I can't end an outgoing call, even by switching off the radio. It's just one big nightmare.
It's either hideously incompetent, a box full of spyware, probably both.
Gerry 3 - are you Sergey Brin in disguise?
The Swift is a lovely phone.
I don't see the problem with a lack of instructions - if you can do stuff with Android you can work out how to do it with Cyanogen and it's a hell of a lot easier to stop Google tracking your every move than it is rooting other phones.
The only real problem is that the USB socket doesn't always grip plugs properly, but that's only a minor annoyance for me.
Are you talking about the same phone as mine?
If a phone comes with instructions these days, they tell you how to charge it and turn it on and off in 20 languages then they leave you to get on with it.
(Maybe the rumoured Nokia mobile will rejuvenate the art of mobile phone manual writing, who knows.)
"I'll just go on using a slim, lightweight, easy to carry, plastic card"
That's an option, yes, although the reports I've read are that Apple Pay (and presumably Google's) are deemed to be more secure than your debit card contactless payments - reason being that your card number, account number etc aren't used, but an authorised token instead which doesn't reveal anything else about your account and is easily revoked (your sort code/account number isn't), plus it requires proof you are authorising the transaction (i.e. fingerprint/password).
PCI would be interested in Apple Pay and Android Pay as both use EMV over NFC, which provides much the same level of security as the Chip: both use nonces, so even if the data gets stolen, it's of no use to credit card thieves, plus both require explicit user consent to unlock the feature (thus why you can't use them without actual lockscreens), preventing even an NFC skimmer posing as a merchant from going unnoticed.
If google made it possible to easily revert a vendor phone to "vanilla" android - i..e. getting rid of all the uninstallable junk the vendors put on, then a lot less people would want root.
Handset manufactures & service providers have both added lots of (by default uninstallable as "system apps") unwanted dross to low end android phones I have purchased in the past, and rooting was only way to free up some space & improve performance by getting rid of those (many "always on") junk apps.
It is not such a major issue of more recnt higher spec phones, but still wasted space & needless battery hassle
Plus there are the legit things that are hard to do on non root phone that should be possible
e.g. want to do proper sniffing to check for malware - hopeless on unrooted phone (jhave to do workaround such as phone on wifi only and then sniff your local wireless traffic instead using a non android device)
e.g.only way to stop some "always on" apps / services is to have root privs to be able to tweak the settings
So they're not worried about it backfiring, as in more cruft means more likely they WON'T get the phone?
Personally, I'd be more interested in a plain vanilla Android phone, but Nexus phones don't offer SD slots or removable batteries, which are both make-or-break requirements for me.
What phone are they going to get instead of Android? It has no real competition except the iPhone, and that's only at the high end price (and those who are looking for SD slots or removable batteries like you are won't find them there either)
If there was a mass market competitor for Android then Google might be encouraged to act differently, but so long as they are the only game in town for the under $500 market (yeah, technically there's Windows phone in the sub $500 market, but if people consider that at all obviously not enough do or it would have more than the 2% share it gets)
NO phone. I've made up my mind that, unless my current phone (a modified S4) breaks, I'm not getting another phone until I can get it vanilla WITH SD slot AND removable battery (if it does break, I'll get the closest match that I can modify secondhand and keep waiting).
I'm reminded of an ad for an electronics store since gone to that brand name scrap heap. This was right during the big HDTV push, and the guy claimed to be so confused about "SDTVs and HDTVs" that's he's ready to instead get "N-O TV."
If google were more worried about security and less about prying, then they'd come up with a manufacturer/carrier agnostic method to apply security updates themselves.
I can't be bothered to root my mobile just for fun (these days; years ago I'd probably do it for the lulz) but I really would like something newer than android 5.0 on my S5 please.
I think they're working on it with Marshmallow and improved overlay support, but with carriers still able to have final say, some give and take is involved (such as TouchWiz and T-Mobile WiFi Calling). Perhaps they'll have a better solution by the time of Android N. They may also decide to bring back the Secure Element or something similar to establish some Trusted Path.
So Google are expecting us to keep Samsung, and Co. well fed, and watterd then? 'Cause I for one refuse to update my Phablet every year 'cause Samsung can no longer be arsed into supporting a Device that had only came out, but a year (or so ago). And have gone on record as stating that said Device was never gonna see an update, past the stock Firmware it shiped with.
The Twetwater has it right fork Google! And, use Plastic that only concerns me, the Seller, and my Bank. Its like those scamy Loyalty Card things. For the life of me, why I should want to feed the Machine with more of my personal Data, is somehow, lost on me.
I still hold that using your phone as a pay-by-bonk device is foolishly dangerous. The security on most phones just isn't strong enough to make me comfortable with that idea. Granted the security on a piece of plastic is functionally non-existent but folks tend to not leave those pieces of plastic lying about the way they do with phones.
What I want is basically a laptop in a smartphone format with an application that makes phone calls or sends texts, running an easily replaceable operating system preferably some flavour of L*nux.
I don't want to pay for anything with my phone, I don't wish to haemorrhage data to whichever company built the phone or operating system every time I make a call, I'm not interested in angry f*cking birds
I just want a machine that does what I tell it, when I tell it & not what someone else tells it
but with the inherent vulnerabilities of both droid & iOS, why would any security conscious individual actually want to use apple or google pay systems? While I'm sure I'll get flamed for asking such a preposterous question, it just seems like every single day there's just another hack that allows some one access to your phone. Obviously, there will be those who love it for the convenience but, after seeing daily disasters with online banking for individuals, can anything really good come from any of this?
Apple uses a secure element in the iPhone, no security exploit against iOS can access it so it remains secure. And it doesn't store the actual card number in any case, but a special substitute number that is only valid for use with Apple Pay from that one phone, so even if you got it it would be useless to you. The only "exploit" anyone has found against Apple Pay is to use social engineering to get a bank to allow you to enable someone else's card on an iPhone - which is really no different than simply stealing their card number and either using it online or making a counterfeit card using that number to use in a store.
Google doesn't use a secure element for Android Pay - they use host card emulation. That's a software based solution so they can't allow rooted devices to use it because it would defeat the security - it also means compromising the security of Android compromises its security. Google made that choice because requiring a secure element would lock out the lower end Android phones that choose not to include it for cost reasons. They care less about security and more on getting their hands on as much juicy purchase data as possible to help their advertising business. Knowing what people end up actually buying and how much they spend is the crown jewel for online advertising - it is so valuable I wouldn't be shocked if Google starts paying people to use Android Pay (at least for certain people with lots of disposal income who are the most valuable to advertisers)
"Google doesn't use a secure element for Android Pay - they use host card emulation. That's a software based solution so they can't allow rooted devices to use it because it would defeat the security - it also means compromising the security of Android compromises its security. Google made that choice because requiring a secure element would lock out the lower end Android phones that choose not to include it for cost reasons."
And by doing so, they improved uptake of Google Wallet which helped keep NFC on the map until EMV-on-NFC came along (Apple Pay and Android Pay both use this now. Google Wallet virtual cards are being retired IIRC). The main reason for this move in Android Pay is at the behest of the banks who basically made it a prerequisite. Given this security requirement, Google may be more inclined to set up a hardware-based trusted path for future Android phones and in particular for Android N going forward. It's more affordable to do it now especially since Apple are helping bring economies of scale to the Secure Element market.
This is really just proof that Google's payment system is poorly designed and insecure by default. Even with jailbroken iOS devices, there is not way to access anything related to Apple Pay, and even if you could, it's not useful as none of your personal data is ever passed to a retailer. I find this quite hilarious. It's almost like having some things restricted is more secure.
All iPhones that can use Apple Pay have Secure Elements. Google tried that in the past but were ahead of their time: SE's then were expensive and finnicky. Perhaps all Android Pay phones using Android N or whatever in future will have to incorporate a Secure Element, too. This will mitigate the need for root checks if push comes to shove. Another possibility (at least with ARM) is to use TrustZones or other hardware-based encrypted-execution zones again where not even root can intrude.
Like a lot of people I just want my phone to work as a phone, have good battery life and pick up emails on a large readable screen. Not interested in games, data grabbing apps, subscriptions to music or films etc.
I have no idea why anyone would use one of the google/ apple / whatever pay systems or the contactless debit cards. A huge security problem in every case and your responsibility to prove you did not make a transaction as there is no secure pin or whatever. All of this at your cost in time etc obviously.
On top of this the phone pay systems have the added benefit of all your transaction details passed on to the fucking leeches ( google / apple etc) to make money from and to inconvenience you with adverts and monetise the data even further.
I will carry on making BACS payments from my secure(ish) pc and pay by Credit Card which at least has some level of accountability and audit. It will be a sad day when I decide that the extra two seconds saved in typing in a secure password over waving a card at a small box with no way of proving that it was indeed a valid transaction.
"You can disable SU access in Super Su" and payments will work as expected, a minor inconvenience...
So all someone needs to do is allow some kind of Quick Shortcut for this in the notifications and it really isn't an issue, I'd like it as a backup, contactless is used heavily over here in Aus and it would be great to not have to carry my wallet around at times when it would be a pain (e.g. out running and stopping for coffee / breakfast afterwards) - I usually have my phone strapped to me!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
