Getting a backdoor into an official Google or Samsung phone would seem to be a particularly difficult task to pull off. At the very least, they have an interest in protecting their reputations, and they have non-trivial resources they can apply to ensure the integrity of their source code and image repositories.
What assurances do we have that these third-party ROMs aren't somehow compromised or backdoored? Are the individuals maintaining the repo trustworthy? What would it cost to bribe one of them? How many people are paying attention, and who would notice? Given that many people using third party ROMs are inherently distrustful of mainstream phone distributions for whatever reason, would they be a particularly attractive target for state spy agencies? Seems there may be a combination of increased susceptibility to poor security practices or corruption combined with increased motivation on the part of some attackers to compromise the software.
When it comes to trust, what reputation does Google have to protect?
It's collecting data on anything & everything, hoovering private data wherever possible. Working hard to ensure it's almost impossible to have an Android device not including their apps or services.
And it's not like Google's Play Store hasn't had its share of malicious apps sneaking in.
Similar for other hw/sw vendors just in different ways.
I tend to place more trust in a community of volunteers working on open source software.
Now, as for that community's ability to assemble reliable, well-tested OS images for a wide selection of devices, despite all the hurdles put up by those devices' hardware? Or check what 3rd party software goes into their repositories? There you have a point.
All in all, it mostly comes down to not installing random apps from random 3rd parties.
Regardless of the exact reasons to run 3rd party OSes like LineageOS (or one's thoughts about those), objections to OSes a device came with, are entirely valid: bloat, privacy, apps installed by default (sometimes non-removable), default settings, etc etc.
Latest news from 10 months ago. Hope they're still hanging in there. Not sure I'll ever go back to 3P ROMs, unless I keep another phone beyond its official EOL.
What assurances do we have that these third-party ROMs aren't somehow compromised or backdoored? Are the individuals maintaining the repo trustworthy? What would it cost to bribe one of them? How many people are paying attention, and who would notice? Given that many people using third party ROMs are inherently distrustful of mainstream phone distributions for whatever reason, would they be a particularly attractive target for state spy agencies? Seems there may be a combination of increased susceptibility to poor security practices or corruption combined with increased motivation on the part of some attackers to compromise the software.
It's collecting data on anything & everything, hoovering private data wherever possible. Working hard to ensure it's almost impossible to have an Android device not including their apps or services.
And it's not like Google's Play Store hasn't had its share of malicious apps sneaking in.
Similar for other hw/sw vendors just in different ways.
I tend to place more trust in a community of volunteers working on open source software.
Now, as for that community's ability to assemble reliable, well-tested OS images for a wide selection of devices, despite all the hurdles put up by those devices' hardware? Or check what 3rd party software goes into their repositories? There you have a point.
All in all, it mostly comes down to not installing random apps from random 3rd parties.
Regardless of the exact reasons to run 3rd party OSes like LineageOS (or one's thoughts about those), objections to OSes a device came with, are entirely valid: bloat, privacy, apps installed by default (sometimes non-removable), default settings, etc etc.