[CLOSED] EOL [ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T

Status
Not open for further replies.
Search This thread
By:
Advanced…
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
QUBiCA said:
Hi,

Thank you for your work! I just have two questions: do you spread updates via normal OTA or do we have to go to this thread to check for updates? I will definitely root it too with Magisk, would I need to redo this after every update?
Click to expand...
Click to collapse
No OTA, you would have to check this thread (Updater app is even not part of the build).
Magisk has got an updater script to "survive" updates (I.e. re-install after flashing), so it does not make any difference whether you would regularly flash or - if it was available - do OTA. So after flashing new build (as long as you don't wipe anything), Magisk will still be there.
 
  • Like
Reactions: ArchGalileu and QUBiCA
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
New build with February 2019 ASB

Hi all,
a new build is available for download with the February '19 security patches.
https://www.androidfilehost.com/?fid=1395089523397888325

EDIT: Please use this link

  • ASB Security string 2019-02-05
  • Bromite System Webview updated to M72
  • Kernel: merged CAF tag LA.UM.6.5.r1-10600-8x96.0 plus sec. patches of the February 2019 Android Security Bulletin

Happy flashing,
regards M.
 
Last edited:
  • Like
Reactions: Greg77970, eightfiveseven, ps_minky16 and 3 others
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
hauckk@sfreserves.org said:
I know it is not meant to be used with gapps but would this room work if I flashed gapps would it crash/ perform badly etc issues
Click to expand...
Click to collapse

I expect issues because of the stricter sepolicy. Further, Gapps will replace some system files and thus a big portion of the hardening will be lost. It could also be, that safety net may fail. Or it could be, that it seems to work, but sporadic weird things happen sometimes.

So you can try, if you want, and report here. I haven't tried myself yet. If it indeed works (or mostly), it could be also interesting for others. However, I can't and I won't provide any support for this setup.
 
hauckk@sfreserves.org

hauckk@sfreserves.org

Senior Member
Jul 1, 2016
1,107
328
colorado springs
MSe1969 said:
I expect issues because of the stricter sepolicy. Further, Gapps will replace some system files and thus a big portion of the hardening will be lost. It could also be, that safety net may fail. Or it could be, that it seems to work, but sporadic weird things happen sometimes.

So you can try, if you want, and report here. I haven't tried myself yet. If it indeed works (or mostly), it could be also interesting for others. However, I can't and I won't provide any support for this setup.
Click to expand...
Click to collapse
Thanks I might give it a try later and I understand that you are not going to provide support:highfive:
 
hauckk@sfreserves.org

hauckk@sfreserves.org

Senior Member
Jul 1, 2016
1,107
328
colorado springs
MSe1969 said:
I expect issues because of the stricter sepolicy. Further, Gapps will replace some system files and thus a big portion of the hardening will be lost. It could also be, that safety net may fail. Or it could be, that it seems to work, but sporadic weird things happen sometimes.

So you can try, if you want, and report here. I haven't tried myself yet. If it indeed works (or mostly), it could be also interesting for others. However, I can't and I won't provide any support for this setup.
Click to expand...
Click to collapse
So I gave it a try didn't work setup wizard froze at searching for updates
I used open gapps nano 8.1
1/19/2019
And magisk 18.1
Clean flashed
 
Last edited:
  • Like
Reactions: MSe1969
E

eightfiveseven

Member
Feb 2, 2019
15
7
So just to make sure because I'm doing this for the first time. Just reboot to recovery and install new build? No need to wipe anything? Some guides tell to wipe dalvik cache and cache and some to just install the update.
 
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
eightfiveseven said:
So just to make sure because I'm doing this for the first time. Just reboot to recovery and install new build? No need to wipe anything? Some guides tell to wipe dalvik cache and cache and some to just install the update.
Click to expand...
Click to collapse
If you have my build installed, and you would like now to update to get the February ASB: All you need to do is to flash the new ZIP file in TWRP and choose "Install" - no need to wipe cache/dalvik.
The system will recognize by itself, which apps need the cache to be renewed. But if you wipe cache/dalvik, e.g. because TWRP usually offers this step directly after flashing, it won't harm anything. The next boot will take longer then. (As said, not necessary)
 
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
S

Stupidshark12

New member
Nov 27, 2015
2
3
Hi, loving the ROM so far.

A question: is it possible to get SafetyNet passing with at least basic integrity (if not CTS) with the microg included, or is this a lost cause?
I've heard SN has been spotty with microg in general lately, wondering if anyone has had luck on this ROM.
I'm using Magisk and the DroidGuard Helper from f-droid, but I'm willing to drop everything if I can get this working. I can't live without Snapchat
 
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
Stupidshark12 said:
Hi, loving the ROM so far.
Click to expand...
Click to collapse
Thanks :)

Stupidshark12 said:
A question: is it possible to get SafetyNet passing with at least basic integrity (if not CTS) with the microg included, or is this a lost cause?
I've heard SN has been spotty with microg in general lately, wondering if anyone has had luck on this ROM.
I'm using Magisk and the DroidGuard Helper from f-droid, but I'm willing to drop everything if I can get this working. I can't live without Snapchat
Click to expand...
Click to collapse

Well, not an easy question to answer.
Short answer:
I can't do anything about it.

Longer answer:
Maybe you could to do some researches and try-flashes on your side:
Does SN also fail with an "official lineageos4microg" ROM? Does it even fail with an official LineageOS build and pico or nano Gapps?
This should help to isolate your issue, whether it is related to a) the OP3T device + LieageOS as such, b) microG or c) my build in particular
If it relates to LineageOS as such, there is nothing we can do right now. If it relates to microG, you can basically only hope that the guys behind microG will find a solution.
If it really relates to my build in particular (I don't think so, but I can't 100% exclude that possibility), then the "official lineageos4microg" ROM might be the better alternative for you, especially if you "can't live without Snapchat"

What you could also try (I have no clue whether it'll work, but if you don't try, you won't get an answer):
- Try without droidguard installed
- Appy 'MagiskHide' also to the droidguard app
- Build a droidguard apk including this (not yet merged) pull request

Regards, M.

EDIT:
"Build a droidguard apk including this (not yet merged) pull request"
>> This one I could indeed give a try . . .
 
Last edited:
  • Like
Reactions: Stupidshark12
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
Good news regarding SafetyNet

Stupidshark12 said:
Hi, loving the ROM so far.

A question: is it possible to get SafetyNet passing with at least basic integrity (if not CTS) with the microg included, or is this a lost cause?
I've heard SN has been spotty with microg in general lately, wondering if anyone has had luck on this ROM.
I'm using Magisk and the DroidGuard Helper from f-droid, but I'm willing to drop everything if I can get this working. I can't live without Snapchat
Click to expand...
Click to collapse

Hi, I think I have good news:
I was able to create a test build with a prebuild and pre-installed RemoteDroidGuard (including the discussed pull request within the microG project).
When I disable root access ("official" LineageOS root addon), the SN test app from Play store shows full compliance.
I have uploaded the test build here
Please perform a test on your end and tell me, how it went. If all goes well, I'll publish a new build.
(Note: If you use Magisk 18.x, you may need to apply Magisk Hide also to the "microG DroidGuard helper app")

Regards, M.
 
  • Like
Reactions: Stupidshark12 and ArchGalileu
S

Stupidshark12

New member
Nov 27, 2015
2
3
MSe1969 said:
Hi, I think I have good news:
I was able to create a test build with a prebuild and pre-installed RemoteDroidGuard (including the discussed pull request within the microG project).
When I disable root access ("official" LineageOS root addon), the SN test app from Play store shows full compliance.
I have uploaded the test build here
Please perform a test on your end and tell me, how it went. If all goes well, I'll publish a new build.
(Note: If you use Magisk 18.x, you may need to apply Magisk Hide also to the "microG DroidGuard helper app")

Regards, M.
Click to expand...
Click to collapse

It works! Magisk manager hidden and MagiskHide enabled on the DroidGuard Helper and the SN attest app. Both Basic Integrity and CTS profile pass!
Using Magisk 18.1 and the 2019-02-12 test build.

This just became my daily driver, thanks for all the hard work.
 
  • Like
Reactions: ArchGalileu, MSe1969 and vinoxflame
E

eightfiveseven

Member
Feb 2, 2019
15
7
Hi

I'm getting some really weird behavior after the new february build. Sometimes phone just gets stuck and and when I reboot it goes sometimes as far as unlocking decryption and then black screen and white information led lit and sometimes not even that far.
And then I have to reboot again and maybe after 2-3 reboot phone will boot correctly.

Also yesterday I booted to recovery and adb devices showed me device offline.
Yet again few reboots and got it working.
And iptables script blocking spotify again even when its on whitelist.

Should I just clean install feb build and use something like titanium backup to recover apps?
 
  • Like
Reactions: Stupidshark12 and MSe1969
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
eightfiveseven said:
Hi

I'm getting some really weird behavior after the new february build. Sometimes phone just gets stuck and and when I reboot it goes sometimes as far as unlocking decryption and then black screen and white information led lit and sometimes not even that far.
And then I have to reboot again and maybe after 2-3 reboot phone will boot correctly.

Also yesterday I booted to recovery and adb devices showed me device offline.
Yet again few reboots and got it working.
And iptables script blocking spotify again even when its on whitelist.

Should I just clean install feb build and use something like titanium backup to recover apps?
Click to expand...
Click to collapse
Thanks for reporting this! I remember having once had such an issue in the middle of Feb testing, but it vanished after one reboot, so I somehow saw it due to a "dirty test build".
But now, after having read your report, I was able to reproduce the behavior - when I tested everything, I never wiped cache & dalvik (not necessary). Now, I explicitly rebooted to recovery to only wipe cache&dalvik and rebooted, and I had a similar ****ty behavior! And always the same after wiping cache/dalvik (this also explains, why it starts to be okay after some reboots).
So I have now reset the three last commits for the kernel and it looks better now. I'll upload the new build, which now also contains the fixed SafetyNet stuff, and will put a new link into the OP.

Seems I will need to priotize 'upstreaming' the kernel as @mumapizza has asked in this thread a couple of posts before . . .

Regarding the iptables blocking script:
You are aware that after flashing an update, your edits in the script are gone and need to be re-applied?

Regards, M.
 
  • Like
Reactions: ArchGalileu, Stupidshark12 and vinoxflame
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact
Last edited:
MSe1969

MSe1969

Senior Member
Dec 16, 2016
2,664
4,986
Frankfurt Rhine-Main metropolitan region
Moto G
Sony Xperia Z1 Compact

Attachments

  • Screenshot_20190213-203315_SafetyNet_Test.png
    Screenshot_20190213-203315_SafetyNet_Test.png
    142.7 KB · Views: 119
Last edited:
  • Like
Reactions: ArchGalileu, vinoxflame, ps_minky16 and 1 other person
Status
Not open for further replies.

Similar threads

D
[ROM][3t-optimized][OMS][microG-ready]NLOS-14.1 - 20180309 [EOL]
Replies
2K
Views
317K
X
xdtyui
jcadduono
  • Locked
[Recovery] Official TWRP for the OnePlus 3T
Replies
1K
Views
234K
jcadduono
jcadduono
flar2
  • Locked
[KERNEL] [Feb 20] ElementalX-3T 4.02 (Oreo) 4.01(Custom 8.1.0)
Replies
2K
Views
228K
jerryhou85
jerryhou85
Sultanxda
[EOL][OP3T][ROM+KERNEL] Unofficial CyanogenMod 13.0 with custom kernel [Apr 30, 2017]
Replies
1K
Views
215K
L
Lou_
jcadduono
[Kernel+] Kali NetHunter for the OnePlus 3 & 3T
Replies
291
Views
162K
_roopam
_roopam

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 20
    MSe1969
    MSe1969
    Moderator Announcement: THREAD CLOSED on request of OP. If you're interested in the hardened LOS for the OnePlus 3 or 3T please follow this thread in the cross-device section in future: https://xdaforums.com/oneplus-3/oneplus-3--3t-cross-device-development/rom-hardened-lineageos-16-0-oneplus-3t-t4034869


    This thread is dedicated to provide hardened Lineage-OS 15.1 builds with microG included for the OnePlus 3/3T with current security patches.
    This thread is discontinued, please visit the LineageOS 16.0 successor thread

    Features of this ROM
    Download here
    • Pre-installed microG and F-Droid same as the LineageOS for microG project
    • Pre-installed AuroraStore
      [*]Pre-Installed pre-release of microG DroidGuard helper to have a working SafetyNet attestation (see comments below!)
    • Adapted LockClock app without wake-locks (fix of frozen weather widget after boot)
    • OTA Support
    • Additional security hardening features listed below
    • Access to /proc/net blocked for user apps
    • Bundled netmonitor app to allow network monitoring
    • Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking
    • Optional disabling of captive portal detection
    • Option to define own DNS
    • No submission of IMSI/phone number to Google/Sony when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    • Option to deny new USB connections
    • Additional restrictions for secondary users
    • Increased password length
    • Kernel kept up to date with ASB patches and Google kernel/common 'android-3.18' branch

    Current release levels
    Security string: 2020-01-05
    AOSP tag: 8.1.0_r52
    Bromite System Webview: M79


    Source-code and build instructions
    Kernel: https://github.com/lin15-microG/android_kernel_oneplus_msm8996/tree/lin-15.1-microG
    Build manifest: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG


    Installation Instructions

    YOU ARE RESPONSIBLE SOLELY YOURSELF FOR ANY ACTIONS YOU DO WITH YOUR DEVICE !!!

    Please note - I won't explain any single aspect (e.g. how to install 'fastboot' on your PC or troubleshoot USB connectivity issues under Windows). Search the net and consult the search engine of your choice or look here in XDA, there is plenty of information available.

    Pre-Requisites
    • Have fastboot and adb installed on your PC and make sure, you can connect via USB to your device in fastboot mode and via adb
    • Download the most current .ZIP file of the ROM and place it to your phone's internal memory
    • An unlocked bootloader (see e.g. LineageOS install instructions)
    • You need at least OxygenOS 5.0 firmware, otherwise you'll get error 7 when installing the zip. (Recommended 5.0.8 - DO NOT use 9.x firmware)

    Install TWRP recovery
    If you come from stock ROM and have just unlocked your boot loader, this is the next thing to do. I recommend to use the TWRP recovery for the OnePlus 3/3T. The following instructions are based on TWRP.
    IMPORTANT NOTE - The official TWRP 3.2.3-1 is broken - DO NOT USE!
    Please use the TWRP link in the official LineageOS install instructions instead.
    To install TWRP, download the twrp-x.x.x-x-oneplus3.img file (Note: replace "x.x.x-x" in the following instructions with the respective values from the real file name) to your PC, connect the phone via USB to your PC, get it into 'fastboot mode' and enter the following command on your PC:
    Code: 
    fastboot flash recovery twrp-x.x.x-x-oneplus3.img
    Afterwards, directly boot into 'recovery mode' (enter fastboot reboot on your PC and hold Power and vol.down) - DO NOT boot into the phone's Android system after having flashed TWRP! Once TWRP has been launched, you may decide to reboot your phone and install the ROM at any time later. But the first boot after flashing TWRP must be TWRP in recovery mode.

    Advanced Wipe
    ONLY perform the steps described here, if you come from Stock ROM or a different Custom ROM!
    Boot into recovery mode. In TWRP, choose "Wipe", "Advanced" and spefify "Dalvik", "System", "Cache" and "Data" to be wiped. Make sure NOT to wipe "Internal memory". Swipe to confirm the deletion and get back into the main menu.

    DO NOT flash Gapps!
    This ROM comes with pre-installed microG. So don't attempt to flash Gapps.

    Install ROM
    In the TWRP main menu, choose "Install". A file manager appears to let you navigate to your internal memory (path /sdcard). Choose the .ZIP file of our ROM and swipe to flash.
    If you update from a previous version of our ROM, you don't need to perform a wipe. If you come from a different ROM (or stock firmware), make sure that you have performed the Wipe steps above.
    When finished flashing, return to the main menu, choose "Reboot" and then "System", which will cause your phone to boot into our Lineage OS 15.1 - be patient, the first boot after flashing a new ROM takes quite long!


    Dealing with signed builds
    Please note, that this builds is signed with an own key. When you come from a different build, you cannot directly "dirty-flash" this build. You have to perform a "clean flash" (recommended), or - you do this on your own risk - you may try the below steps.

    This happens at your own risk - make a backup with TWRP before!
    • Download and extract the file migration.sh from this archive
    • This file helps you to migrate from a build signed with the publicly available test keys (i.e. all builds around, which do not state that they are signed). If you come from another signed build (e.g. official LineageOS), you have to adapt the file accordingly (see below links).
    • boot into TWRP
    • push the migration.sh file to the directory /data/local on your device and mount the /system partition in TWRP (you can do so using the dedicated TWRP's menu entry)
    • launch the built-in terminal in TWRP, cd into /data/local, make migration.sh executable (chmod +x) and execute the command ./migration.sh official
    • (In case you receive an error, try sh ./migration.sh official instead)
    • flash the ROM .zip
    • wipe Cache and Dalvik/ART Cache
    • reboot system
    More background information and the "theory behind" can be found in the LineageOS wiki and AOSP reference.


    SafetyNet:

    Google SafetyNet is a device certification system, ensuring that the device is properly secured and compatible with Android CTS. Some applications use SafetyNet for security reasons, to enforce DRM or as a prerequisite for tamper-protection. General information about SafetyNet can be found here or e.g. see LineageOS' statement about SN.

    If you don't need SafetyNet (i.e. you don't use apps requiring it), I recommend to switch off SafetyNet in microG settings and in addition, go to Settings - apps, make system processes visible and disable the app 'microG DroidGuard Helper'
    In that case, you can safely skip the below information. (If you access the play store with Yalp coming with this build, apps, which the original playstore app would hide because of failed SafetyNet, such as e.g. Netflix, are still listed, so you don't need SafetyNet for that specific purpose)

    If you need SafetyNet, because you use an app requiring SafetyNet attestation to pass, switch SafetyNet on in microG settings and make sure the a.m. DroidGuard Helper app is active. Further, please consider below important information.


    The typical use-case, for which SafetyNet has been developped and is e.g. used by Google, is e.g. "Google Pay".
    Although it seems not to be the intention of Google to make SafetyNet part of "ordinary, average" apps - unfortunately - a certain tendency can be observed that more and more apps make use of it. Especially nosy and privacy intrusive apps seem to start using SafetyNet against Custom ROMs, because Custom ROMs usually allow to at least restrict uncontrolled data collection.

    microG GmsCore contains a free implementation of SafetyNet, but the official server requires SafetyNet requests to be signed using the proprietary DroidGuard system. A sandboxed version of DroidGuard has been added to this microG build as a prebuilt “DroidGuard Helper” app to run the Google code in an isolated environment. The chosen approach in my build is proposed and discussed within the microG project, but not yet officially implemented by microG.

    As of March 11th 2019, the microG build passes the SafetyNet attestation, when installed w/o root or Xposed.
    So, if you need SafetyNet and you also need root, Magisk would be the way to go.
    To avoid confusion: Magisk can hide itself from being detected by SafetyNet and thus help to pass SN, if the device would pass SN without having Magisk installed. Nothing more.
    Currently not working, hence not bundled

    There are apps available on the Play store to show, whether SafetyNet attestation is passed, for example 'SafetyNet Test' (org.freeandroidtools.safetynettest)


    IMPORTANT
    I cannot and I will not give any assurance that SafetyNet attestation is passed by this build!
    The SafetyNet code, which is dynamically downloaded from Google servers and executed on the device as part of the defined functionality, is regularly maintained and further developped by Google. Although it currently works, it could stop working in the future, until the microG team finds again a solution.
    (Interesting enough: Remote code execution is normally considered a severe vulnerability, but hey, it's Google and we all "trust" them 100%, don't we? ;) - At least I, besides others, exactly for that reason, do not use Gapps!)
    Further, I for my part refuse to use apps requiring SafetyNet, but that is of course everybody's own decision.


    Bug reports:
    If you have a problem, please create a post with these informations:
    Original Kernel shipped with this rom:
    Build Date:
    And try to get log as described here
    Please note that I can't and won't support issues with builds using a different kernel or Xposed.
    In regards to microG, I will try my best to help when it is related to this ROM (I use it myself), but any questions of the type "the YXZ-app can't do <some sort of fancy xyz Google functionality> properly" are better asked in the respective microG forums.

    Credits
    AOSP project
    LineageOS project
    microG project
    CopperheadOS project
    csagan5 (Bromite)
    Yeriomin (Yalp)


    XDA:DevDB Information
    [ROM][Unofficial][8.1.0][microG][signed]hardened LineageOS 15.1 for Oneplus 3T, ROM for the OnePlus 3T

    Contributors
    MSe1969
    Source Code: https://github.com/lin15-microG/local_manifests/tree/lin-15.1-microG

    ROM OS Version: 8.x Oreo
    ROM Kernel: Linux 3.x
    Based On: LineageOS

    Version Information
    Status: Stable
    Stable Release Date: 2020-01-13

    Created 2019-01-21
    Last Updated 2020-04-30
    View
    8
    MSe1969
    MSe1969
    Change Log

    February 7th, 2020
    Announcement to discontinue the LineageOS 15.1 builds - Please visit my LineageOS 16.0 thread, which continues with LineageOS 16.0 builds

    January 14th, 2020
    • ASB Security string 2020-01-05
    • Bromite Webview on 79.0.3945.107
    • AuroraStore updated to 3.1.7
    • AuroraServices updated to 1.0.5

    December 7th, 2019
    • ASB Security string 2019-12-05
    • Bromite Webview on 78.0.3904.119
    • AuroraStore updated to 3.1.5

    November 10th, 2019
    • ASB Security string 2019-11-05
    • Bromite Webview on 78.0.3904.72
    • Updated microG GMS core 0.2.9.x

    October 13th, 2019
    • ASB Security string 2019-10-06
    • AuroraStore updated to 3.1.3
    • Bromite Webview on 77.0.3865.104

    September 10th, 2019
    • ASB Security string 2019-09-05
    • AuroraServices updated to 1.0.4

    August 11th, 2019
    • ASB Security string 2019-08-05
    • Bromite Webview on 76.0.3809.100
    • Aurorastore 3.0.9 with AuroraServices install method
    • Updated microG GMS core 0.2.8.x
    • OTA Support

    July 4th, 2019
    • ASB Security string 2019-07-05
    • Bromite Webview on 75.0.3770.109

    June 12th, 2019
    • ASB Security string 2019-06-05
    • Kernel upstreamed to 3.18.140
    • Bromite Webview on 75.0.3770.86
    • Replaced Yalpstore with Aurorastore
    • Removed RemoteDroidGuard
    • Updated F-Droid & priv. extension
    • Updated microG GMS core 0.2.7.x


    May 9th, 2019
    • ASB Security string 2019-05-05
    • SystemWebView: Bromite updated to 74.0.3729.106
    • Kernel: Upstreamed to 3.18.139
    • Backport of 'Deny new USB' feature
    • Option to set own DNS
    • Additional options for secondary users
    • Increased password length

    April 8th, 2019
    • ASB Security string 2019-04-05
    • SystemWebView: Bromite updated to 73.0.3683.97
    • Kernel: Upstreamed to 3.18.138
    • Control switch in dev. settings for hosts file update

    March 11th, 2019
    • ASB Security string 2019-03-05
    • SystemWebView: M73-Bromite (includes CVE-2019-5786)
    • Kernel: Upstreamed to 3.18.136

    February 19th, 2019 - 2nd interim release
    • New upstreamed kernel (3.18.134) from here (yet w/o CAF tag LA.UM.6.5.r1-10600-8x96.0)

    February 13th, 2019 - interim release
    • Reverted Kernel fixes, which seem to have caused crashes after wiping cache&dalvik
    • Prebuilt microG DroidGuard helper app to pass SafetyNet attestation

    February 9th, 2019
    • ASB Security string 2019-02-05
    • SystemWebView: M72-Bromite
    • Kernel: CAF tag LA.UM.6.5.r1-10600-8x96.0

    January 21st, 2019
    Initial load
    • ASB Security string 2019-01-05
    • AOSP tag android-8.1.0_r52
    • SystemWebView: M71-Bromite

    Initial feature list:
    • Pre-installed microG and F-Droid same as the LineageOS for microG project
    • Pre-installed YalpStore (Version 0.45)
    • Access to /proc/net blocked for user apps
    • Bundled netmonitor app to allow network monitoring
    • Enhanced Privacy Guard: Switches for motion sensors, other sensors and certain background activities
    • Cloudflare as default DNS (instead of Google)
    • Privacy-preferred default settings
    • Optional blocking of Facebook- and Google-Tracking
    • Optional disable captive portal detection
    • No submission of IMSI/IMEI to Google/Sony when GPS is in use
    • Default hosts file with many blocked ad/tracking sites
    • Privacy-enhanced Bromite SystemWebView
    View
    8
    MSe1969
    MSe1969
    Security Hardening Features - Details

    1. Pre-installed microG and F-Droid
    same as the LineageOS for microG project

    2. Pre-installed AuroraStore
    works w/o having to enable the "unknown sources feature"

    3. Restrict access to /proc/net for user apps
    An adapted SELinux policy prevents user apps from accessing the /proc/net pseudo file system, which can be misused to monitor and track the phone's internet traffic. For technical backgrounds, see here. For the legitimate use case of the smart phone owner him/herself monitoring the network traffic to see, what the installed apps do, the app Privacy-Friendly Network Monitor has been bundled.

    4. Enhanced Privacy Guard - Sensor permission switches and background control
    An own sensor template to control access to motion sensors ('ask' mode) and all other sensors (allowed by default, but can be restricted) has been implemented into the Privacy Guard. Further, the following background activities can be restricted in Privacy guard:
    • Background Clipboad access (forbidden by default, can be allowed per app)
    • Background Location access (allowed by default, if location access as such is allowed, can be forbidden per app)
    • Background Audio recording (allowed by default, if microphone access as such is allowed, can be forbidden per app)

    5. Cloudflare (instead of Google) default DNS
    Cloudflare DNS has a better privacy policy than Google Public DNS and has DNS-over-TLS and DNS-over-HTTPS. In the deafult DNS settings (as fallback) and network diagnostics, the Cloudflare DNS adresses 1.1.1.1 and 1.0.0.1 are specified as defaults (instead of Google's 8.8.8.8 and 8.8.4.4)

    6. Privacy-preferred default settings
    When newly installed, the below settings are defaulted, different from standard LineageOS 15.1 (all settings can be changed at any time later):
    • Privacy Guard is enabled on install (proposal during Setup)
    • Anonymous LineageOS statistics disabled (proposal during Setup)
    • The standard browsing app does not get the location runtime permission automatically assigned
    • Sensitive information is hidden on the lock screen
    • Camera app: Location tagging disabled by default
    • Apps having the PACKAGE_USAGE_STATS permission appear by default as "not allowed" under Settings => Security & privacy => Apps with usage access (instead of opting out here, the user needs to explicitly opt-in in order to have the app collecting this data)
    Further, when a lock screen protection is set (PIN, pattern, password), the Nfc, Hotspot and airplane mode tiles require authentication and cannot be set without

    7. Optional blocking of Facebook- and Google-Tracking
    Until April 2019 build: Settings => Network & Internet => Data usage => Menu => "Apply iptables block script"
    Starting with May 2019 build: Settings => Network & Internet (scroll down)
    When activated, all outgoing connection attempts to Facebook servers will be suppressed.
    Same applies to Google, but certain apps on an internal exception list will still be able to connect (Yalpstore, microG, or e.g. NewPipe, if installed)

    8. Optional disable captive portal detection
    Until April 2019 build: Settings => Network & Internet => Data usage => Menu => "Disable Captive Portal"
    Starting with May 2019 build: Settings => Network & Internet (scroll down)
    When activated, the system will not ping a specific Google server any longer when establishing a WiFi connection to determine, whether a captive portal is being used.

    9. No submission of IMSI or phone number to Google/Sony when GPS is in use
    GPS also works fine, if no SIM card is present, so there obviously is no benefit for the phone holder (different from other involved parties :rolleyes:) to provide this data . . .

    10. Default hosts file with many blocked ad/tracking sites
    The system's hosts file redirects a comprehensive list of URLs known to be adware, tracking, etc. to 127.0.0.1 (ipv4) and ::1 (ipv6)

    11. Privacy-enhanced Bromite SystemWebView
    Instead of the default Chromium System Webview component, the Bromite SystemWebView is used offering more privacy, more ad blocking and less Google tracking.

    12. Deny new USB option
    Settings => Security & Privacy
    Control, what happens, if a USB device is connected to the device: Allow, allow when unlocked or block.

    13. Option to define an own DNS
    Settings => Network & Internet (scroll down)
    You can optionally define an own DNS, which is used instead of the default DNS of the ISP (uses iptables)
    Note: If your ISP intercepts DNS queries to enforce their own ISP - e.g. to enforce surveillance/censorship - this option won't work . . .

    14. Maximum password length increased to 64

    15. Additional restriction options for secondary users
    - Disallow app installation option
    - Disallow audio recording option
    View
    7
    MSe1969
    MSe1969
    Further tips & tricks

    Root
    The ROM does not come with root baked in. A couple of features in this ROM even reduces the usual need for root.
    Nevertheless, if you need/want to grant root permissions to some of your apps, the most popular options are:
    Note that I cannot and will not support any issues related to Magisk and/or SuperSU

    Weather Widget
    LineageOS does currently not offer Weather provider apps for LineageOS 15.1 for download (only for LineageOS 14.1)
    I have built an APK for OpenWeatherMap for download from the LineageOS sources here, which works well with LineageOS 15.1

    microG initial configuration after 1st install
    After the first installation of this ROM, you need to setup microG.
    Please read the instructions given on the LineageOS for microG site, section "Post Install - UnifiedNlp"

    Firmware
    You need at least OxygenOS 5.0 firmware, latest firmware recommended. Firmware updates (or downgrades, if needed) as flashable ZIP can be obtained e.g. here or here.
    Do not confuse OnePlus 3 and OnePLus 3T firmware or you will brick your device!
    View
    6
    MSe1969
    MSe1969
    New build with February 2019 ASB

    Hi all,
    a new build is available for download with the February '19 security patches.
    https://www.androidfilehost.com/?fid=1395089523397888325

    EDIT: Please use this link

    • ASB Security string 2019-02-05
    • Bromite System Webview updated to M72
    • Kernel: merged CAF tag LA.UM.6.5.r1-10600-8x96.0 plus sec. patches of the February 2019 Android Security Bulletin

    Happy flashing,
    regards M.
    View

New posts