Question about custom rom safety/security

[kofman13]

Hey guys, so I’m a fairly new android user. On S7 Edge running stock nougat touchwiz firmware. I am very interested in trying a custom rom like remix resurrection to get a snappier stock android performance and have things like software navigation buttons on screen but a couple of things worry me a little.
Stock firmwares have security updates etc. How safe is it to use a custom rom, like a well known one? What’s stopping the maker of a custom rom from baking in some malware or virus that collects data/passwords and other private information? How often does this happen and does it happen at all? Is it safe to use a custom rom as a daily driver in terms of security?

[Jade]

1. Any decent ROM will get security updates relatively quickly (within 24-48 hours, if the developer/developer team are respectable). LineageOS is one of the most popular and tends to get patches quickly.
2. Nothing is stopping a ROM builder from adding any form of malware into the ROM; usually doesn't happen, as most decent ROMs are open source -- that said, that doesn't mean the build you're installing won't be different from the source available.
3. Short version: yes, it's generally safe to use a custom ROM as a daily driver. See below as for why it might not be.
4. If you grant root lightly (only give it to apps you really trust; that's giving the app complete access to the device -- it's not a security vulnerability, but any app with root can do whatever it wants. Seriously.
5. The apps that manage root (Magisk, Superuser, SuperSU to name a few) are theoretically exploitable, but to my knowledge, there is no public exploits of these.
6. Installing a custom ROM usually entails unlocking the bootloader, which could also be exploited (you could relock it after the fact, but if the ROM breaks... you'd be screwed) if you to be targeted by an app with root access or physical access to the device.

[kofman13]

9 minutes ago, Jade said:

1. Any decent ROM will get security updates relatively quickly (within 24-48 hours, if the developer/developer team are respectable). LineageOS is one of the most popular and tends to get patches quickly.
2. Nothing is stopping a ROM builder from adding any form of malware into the ROM; usually doesn't happen, as most decent ROMs are open source -- that said, that doesn't mean the build you're installing won't be different from the source available.
3. Short version: yes, it's generally safe to use a custom ROM as a daily driver. See below as for why it might not be.
4. If you grant root lightly (only give it to apps you really trust; that's giving the app complete access to the device -- it's not a security vulnerability, but any app with root can do whatever it wants. Seriously.
5. The apps that manage root (Magisk, Superuser, SuperSU to name a few) are theoretically exploitable, but to my knowledge, there is no public exploits of these.
6. Installing a custom ROM usually entails unlocking the bootloader, which could also be exploited (you could relock it after the fact, but if the ROM breaks... you'd be screwed) if you to be targeted by an app with root access or physical access to the device.

so basically ur sayin only give root to those 3 u mentioned, the essentials basicaly. and also get roms only from official threads like on XDA?

[Jade]

4 minutes ago, kofman13 said:

so basically ur sayin only give root to those 3 u mentioned, the essentials basicaly. and also get roms only from official threads like on XDA?

The 3 I mentioned are apps that manage root access -- they dictate what other apps can utilize root access. But yes, don't grant root to anything you don't trust with everything on your phone. And yes, as long as you stick to active threads on XDA, you'll be fine. Inactive ones are usually fine; if malicious stuff is found in ROMs the author is permabanned, but I wouldn't take chances.

[dfsdfgfkjsefoiqzemnd]

I second most of what Jade says.  LineageOS (link to official site) would be the first one I'd look at.  In fact it IS the first one I look at, I even verified that my S7 (non-edge) was supported before I bought it. 

Many custom ROMs come without any of the Google apps, but those can be installed if you flash the right OpenGapps (link to official site) package after flashing the ROM.

For your S7 edge that package would be ARM64, Android 7.1 ... and then depend on your preference for the amount of Google integration.

 

If you would want to keep it Google-free, that's very much possible too.  There are alternatives to the Play Store, Maps etc.  Perhaps not with the exact same functionality and without the ease of all the Google account integration, but personally I don't mind that. 

On my personal phone I've been Google-free for around 2 years.  My work phone (a 2016 Galaxy J3) still has a stock ROM with all the Google stuff, so I have plenty of opportunities to compare both options. 

 

 

 

With regards to updates and patches, I can't speak for other ROMs but LineageOS normally gets updated every week. 

My phone is currently running the build of August 16th (last Wednesday as I write this), which according to the "Settings -> About device -> Software info" menu has an "Android security patch level" of August 5th.  Last month the security patch level was July 5th and the month before that it was June 5th, so it looks like security patches are released by Google once every month and implemented in the next LineageOS update.  I assume that a critical vulnerability would be patched ASAP though.

Stock ROMS get patched way less often, my work phone for example has only received 2 security patches from Samsung so far this year (January 1st and July 1st).

 

Long-term support depends on the phone's popularity.  That's not a problem for the Galaxy S phones though, even the Galaxy S2 (released in May 2011) is still supported on LineageOS so I wouldn't worry too much about your S7 Edge not getting patches anymore. 

That's the full Android 7.1 too on the S2, Samsung dropped support for that phone back in 2012 at Android 4.1.2.  So you get the latest features as well as security.

 

 

 

As for root, installing a custom ROM doesn't mean you need to enable root.  My S7 is doing just fine without it.  I wouldn't bother with root unless you for some reason really want/need an app that needs root access to work. 

[kofman13]

11 hours ago, Captain Chaos said:

I second most of what Jade says.  LineageOS (link to official site) would be the first one I'd look at.  In fact it IS the first one I look at, I even verified that my S7 (non-edge) was supported before I bought it. 

Many custom ROMs come without any of the Google apps, but those can be installed if you flash the right OpenGapps (link to official site) package after flashing the ROM.

For your S7 edge that package would be ARM64, Android 7.1 ... and then depend on your preference for the amount of Google integration.

 

If you would want to keep it Google-free, that's very much possible too.  There are alternatives to the Play Store, Maps etc.  Perhaps not with the exact same functionality and without the ease of all the Google account integration, but personally I don't mind that. 

On my personal phone I've been Google-free for around 2 years.  My work phone (a 2016 Galaxy J3) still has a stock ROM with all the Google stuff, so I have plenty of opportunities to compare both options. 

 

 

 

With regards to updates and patches, I can't speak for other ROMs but LineageOS normally gets updated every week. 

My phone is currently running the build of August 16th (last Wednesday as I write this), which according to the "Settings -> About device -> Software info" menu has an "Android security patch level" of August 5th.  Last month the security patch level was July 5th and the month before that it was June 5th, so it looks like security patches are released by Google once every month and implemented in the next LineageOS update.  I assume that a critical vulnerability would be patched ASAP though.

Stock ROMS get patched way less often, my work phone for example has only received 2 security patches from Samsung so far this year (January 1st and July 1st).

 

Long-term support depends on the phone's popularity.  That's not a problem for the Galaxy S phones though, even the Galaxy S2 (released in May 2011) is still supported on LineageOS so I wouldn't worry too much about your S7 Edge not getting patches anymore. 

That's the full Android 7.1 too on the S2, Samsung dropped support for that phone back in 2012 at Android 4.1.2.  So you get the latest features as well as security.

 

 

 

As for root, installing a custom ROM doesn't mean you need to enable root.  My S7 is doing just fine without it.  I wouldn't bother with root unless you for some reason really want/need an app that needs root access to work. 

thank you so much you've basically explained everything i needed to know. does lineage OS have options for on screen navigation buttons? thats one of the main reasons i want to try a custom rom, not a fan of physical and capacitive buttons on the s7 edge, as on screen soft keys would make it so i dont have to actually press buttons and let me stretch my thumb down less when using one handed

[dfsdfgfkjsefoiqzemnd]

On 8/21/2017 at 9:47 PM, kofman13 said:

does lineage OS have options for on screen navigation buttons?

On my S7 the first option in the "buttons" setting is "Enable on-screen nav bar".  If you enable that, it will disable the hardware buttons (except for the one in the center, which can still be used to wake the device if you so choose) and replace them with on-screen ones that are fully customizable in terms of layout.

 

 

 

Of course this may differ from phone to phone but I assume that the S7 Edge will probably have the same options as the regular S7. 

[OmJo93]

On 08/20/2017 at 10:31 AM, Jade said:

The 3 I mentioned are apps that manage root access -- they dictate what other apps can utilize root access. But yes, don't grant root to anything you don't trust with everything on your phone. And yes, as long as you stick to active threads on XDA, you'll be fine. Inactive ones are usually fine; if malicious stuff is found in ROMs the author is permabanned, but I wouldn't take chances.

 

To add.. If you do root/unlock the bootloader I recommend sticking to downloading apps either from the Google Play store or XDA forums. Best way IMO to avoid getting malicious software on your phone, with or without root for that matter. But especially for rooted phones.

 

And as mentioned above, custom ROMs almost always get security updates. Hell, they often times get them before official OEM ROMs do...

[OmJo93]

On 08/21/2017 at 2:16 AM, Captain Chaos said:

As for root, installing a custom ROM doesn't mean you need to enable root.  My S7 is doing just fine without it.  I wouldn't bother with root unless you for some reason really want/need an app that needs root access to work.

You don't need to root, but you do generally need to unlock the bootloader. When I locked the bootloader on FreedomOS for my OP3T it always got stuck in a bootloop. Granted not sure if Lineage OS has the same issue.

 

But if you do unlock the bootloader that also leads to some possible vulnerabilities and some apps such as banking apps and Android Pay might not work properly unless you use Magisk.

[dfsdfgfkjsefoiqzemnd]

23 minutes ago, OmJo93 said:

If you do root/unlock the bootloader I recommend sticking to downloading apps either from the Google Play store or XDA forums.

F-Droid is another good one.  Smaller choice of apps, but they're all checked much more rigorously than anything in the Play Store.  Every negative aspect (advertising, promoting non-free addons etc) is marked in bold red text on the app's page, above the description. 

 

Example:

[kofman13]

21 hours ago, Captain Chaos said:

On my S7 the first option in the "buttons" setting is "Enable on-screen nav bar".  If you enable that, it will disable the hardware buttons (except for the one in the center, which can still be used to wake the device if you so choose) and replace them with on-screen ones that are fully customizable in terms of layout.

 

  Reveal hidden contents

 

Of course this may differ from phone to phone but I assume that the S7 Edge will probably have the same options as the regular S7. 

got pretty excited about lineage but then i found out that lineage doesnt have AOD or edge features

[dfsdfgfkjsefoiqzemnd]

22 minutes ago, kofman13 said:

got pretty excited about lineage but then i found out that lineage doesnt have AOD or edge features

There's apps that do AOD, even open-souce ones. So that shouldn't be a major issue.  I briefly tried "Always On AMOLED" a while ago but ended up uninstalling it within minutes because I just don't care enough about AOD. 

No idea about Edge features, never used an Edge phone.  If it indeed doesn't have Edge functions, that would suck indeed. 

I don't know if you'll find those on any custom ROM if it's not on Lineage, so you may need to spend some time on YT reviewing ROMs for the S7 Edge

[kofman13]

Just now, Captain Chaos said:

There's apps that do AOD, even open-source ones.  I tried "Always On AMOLED" a while ago but ended up uninstalling it because I just don't care enough about AOD. 

No idea about Edge features, never used an Edge phone.  I don't know if you'll find those on any custom ROM, so you may need to spend some time on YT reviewing ROMs for the S7 Edge

thanks for the heads up!

[kofman13]

35 minutes ago, Captain Chaos said:

There's apps that do AOD, even open-souce ones. So that shouldn't be a major issue.  I briefly tried "Always On AMOLED" a while ago but ended up uninstalling it within minutes because I just don't care enough about AOD. 

No idea about Edge features, never used an Edge phone.  If it indeed doesn't have Edge functions, that would suck indeed. 

I don't know if you'll find those on any custom ROM if it's not on Lineage, so you may need to spend some time on YT reviewing ROMs for the S7 Edge

Oneeeeeeee more question. I watched several videos of people using lineage OS included on the s7 and all of them have this weird .75-1.0 second response delay compared to physical home  button when pressing the onscreen nav buttons. Is there a way around that? Do you have the issue on lineage ?  

[dfsdfgfkjsefoiqzemnd]

1 hour ago, kofman13 said:

Do you have the issue on lineage ?

My work phone doesn't have those due to only having a stock ROM, so by default I don't use them on my S7 either (to prevent hitting the wrong buttons if I switch from one phone to the other). 

I turned the on-screen buttons on just now and sometimes I do notice a slight delay when pressing the home button indeed.  A couple of attempts to measure it with a stopwatch put the total time around 0.7 seconds (from button press to actually seeing the homescreen).  I'd say it's about twice as long as the delay of the physical home button on either my S7 or my work's J3.  Other times there's no noticeable delay.

Then again I do not have any of the Google stuff installed on my S7 so it's probably quite a bit faster than one that has all that extra stuff running all the time.  So I wouldn't be surprised to see a second or so if the phones in your review have the Gapps package on them.

 

Check videos of other ROMs to see if they have that problem too, I wouldn't be surprised if some delay is inevitable when using on-screen buttons.