Feuerfest

Just the private blog of a Linux sysadmin

SECUSO Android Apps - A type of app I thought being extinct

It was just a few days ago when I learned of the existance of the SECUSO apps. These are apps developed at the Karlsruhe Institute of Technology (KIT) by their Research Group: Security • Usability • Society (SECUSO). The Android apps they develop contain absolutely no tracking, no ads and use only the bare minimum of permissions. A sort of app I thought to be extinct in the current app ecosystem.

They have an informational page about their project goals with a list of all currently supported apps: https://secuso.aifb.kit.edu/english/105.php

The catch? All apps are only available in the alternative Android Appstore F-Droid. You most likely won't find them in the Google PlayStore anymore. As SECUSO had to ditch publishing their Apps in the Google PlayStore in 2025 due to ever increasing effort that is needed in order to publish apps with minimal permission requirements. And while they didn't delete their apps from the PlayStore I at least couldn't find a single one there for my mobile.

They provide a PDF with migration instructions on how to install and use F-Droid, but let's face the reality: Many users won't do this.

Personally I am not surprised by the slightest that it publishing minimal permissions apps on Google Play has become such a burden. After all Google is one of the biggest players in the user tracking, data collecting and ad display business. Published data privacy apps without any ads or tracking is simply against their business model and hence its in no way on their list of feature the want to support.

The source code is, of course, available too via their GitHub repository at https://github.com/secuso.

I am just happy that I finally found a good Sudoku game app for my train rides. Their sketching and note taking apps are useful as well. Oh, and the QR code scanner app even has a history of scanned QR codes. A feature I never encountered before!

Comments

Bye Bye: OnePlus

This article could also be labelled: How to wreck your business model.

For over a decade OnePlus released solid Android phone who didn't need to shy away from other competitors flagship models. I owned a OnePlus 3 and currently use a OnePlus 8, what convinced me in the first place was the commitment to provide security updates for up to 5 years. This really stood out back at the time - only matched or beaten by Google's Pixel phones. As I run LineageOS nowadays I am not dependent on vendor updates. However I still held OnePlus' phones in high regards. This drastically changed today.

The reason? OnePlus started rolling out updates for its ColorOS which contain an hardware-level Anti-Rollback (ARB) mechanism. This is a so-called eFuse inside the processor itself and cannot be changed via software.

The result? If your OnePlus 13/13T/15 is on ColorOS 16.0.3.501 you can't install any custom ROM or downgrade the OS. If you try you brick your phone. No recovery possible. The only chance users have to install custom ROM is, if their firmware is build with the same or higher ARB/security level. Which are not yet available. And even then it will always be a ride on razors edge if you brick your phone when updating the ROM - or not.

This change wasn't announced publicly. It wasn't communicated in any way. And when asked OnePlus provided no answer - but they removed old firmware files from their servers for the affected models. Which the community takes as proof that this change is intentional and not just an extremely unfortunate bug or oversight.

It's unclear if other models are affected too or if they will get the same "treatment". Effectively robbing people of their freedom of choice regarding which OS they want on their phones.

And while ColorOS is used for OnePlus devices in China (devices outside of China run OxygenOS) this whole affair has a bad taste to it.

For me it effectively means that I won't buy a OnePlus phone as my next mobile.

Looks like OnePlus started its enshittyfication process.

Source:

Speculating about the reason

China flashers

I was interested in why this was suddenly happening and someone on Reddit mentioned the big flasher market in China. Basically it goes like this:

  • OnePlus sells phones in China with ColorOS, for EU/US/global ship the phones with OxygenOS
  • People buy OnePlus phones in China for a considerably lower price than in EU/US
  • The device is flashed with OxygenOS or other ROMs
  • Now the device is sold outside China, making a big profit

This of course affects OnePlus directly. Their business model, their revenue, everything. So from a business point of view it is comprehensible that they did this. Also the lacking communication upfront and after the ARB discovery is sufficiently explained following this logic.

Still a shitty move. It would certainly help if OnePlus would finally comment on how they plan going forward with this, if other regions will be affected too in the future, etc.

And it also explains why people from all over the world report problems with the ColorOS 16.0.3.501 update. As they likely imported/bought a OnePlus from China and are now getting the ARB-affected OTA updates. As ARB has no method of knowing in which region a phone is operated in.

Then again there is this post on XDA Developers forum where some user claims "CPH2581_16.0.3.500 just dropped on OP12 EU." Where CPH2581 is the model code for the OnePlus 12 Global/EU version. And immediately after that post someone comments: "It's fused" showing a screenshot from a tool which checks the presence of the eFuse in the firmware.

Other users also confirm that their Global/EU/US region models received an eFused update.

So yeah.. OnePlus should really finally comment on this.

Also, the user who reported all this in the XDA Developers forum got his Reddit account banned shortly after, for yet unknown reasons.

Quick Update: My Reddit hub (u/AdaUnlocked) was suspended shortly after I shared this research. I'm not sure if it’s a technical glitch or due to coordinated reporting, but I've filed an appeal. For now, I will keep all technical updates centralized here on XDA.

OnePlus in trouble?

And then there is this article about OnePlus being in trouble because of declining sales and that it is possible that they will exit the US and EU market.

So.. This is a move to secure their market share in China? After all. Samsung has a similar feature with Samsung Knox. Just that... You know.. It doesn't brick your phone. It just disables some of the features Knox offers.

Comments

Bye Bye: Brave Browser

"Bye Bye" is a loose series of articles in which I explain why I no longer use the aforementioned provider and its services.

mthie wrote a short blog post in which he linked to the following XDA Developers article: https://www.xda-developers.com/brave-most-overrated-browser-dont-recommend/.

For me, personally, this article was a real eye-opener. I only knew about roughly half of the things that Brave has done over the years. I was especially unaware of the "Accepting donations for creators - who don't know anything about the Brave program" or the Honey-like "Let's replace referral codes in links and cookies with our own to steal the commission".

If a company pulls such stunts, it is not acting in good faith. Not acting in good faith makes you a bad actor.

Do you really want to use software from a bad actor? Yet alone have it installed on your mobile? It's the most private piece of technical equipment we own in these days.

Yeah, me neither. Hence Brave has been officially uninstalled from all my devices as of 20 minutes ago.

And I doubt I will miss it much, as Firefox on Android officially supports all extensions since end of 2023/beginning of 2024. Therefore extensions like uBlock Origin and uMatrix work perfectly fine. The fact that those were not supported back then was the main reason for choosing Brave in the first place.

Now with this reason being gone, so too is the crypto- and scam-infested Brave browser.

Comments

Termux and local DNS

The app Termux is an Android terminal emulator and provides an Linux environment. I have it installed on my phone to have many of the various command-line tools ready to use.

However, there is one big problem if you to have working local DNS resolution in your home network: Termux uses the Google DNS server 8.8.8.8 and 8.8.4.4 per-default. As this is a problem for many people, it is regularly discussed on GitHub: https://github.com/termux/termux-app/issues/130

And while I'm not having much expertise in regards to Android development it seems that Termux is not allowed to get the Android system DNS settings and hence can't properly update their resolv.conf whenever the DNS server changes.

Also it seems that some tools use the Android system DNS and others don't. nslookup for example uses the resolv.conf provided by Termux. This just adds to the confusion.

It doesn't matter if you've disabled private DNS in your network settings or not. As such they have little other choice but to ship their own resolv.conf file under /data/data/com.termux/files/usr/etc/resolv.conf with the Google DNS servers, which are also the default setting on Android:

~ $ cat /data/data/com.termux/files/usr/etc/resolv.conf
options timeout:2
options attempts:2
options rotate
nameserver 8.8.8.8
nameserver 8.8.4.4

My workaround

If I install vi (to have a useable editor) and edit the resolv.conf so that it only contains my local DNS server it works.

~ $ cat /data/data/com.termux/files/usr/etc/resolv.conf
options timeout:2
options attempts:2
options rotate
nameserver ip1.ip1.ip1.ip1
#nameserver 8.8.8.8
#nameserver 8.8.4.4

But the big downside is: As soon as my phone leaves my Wifi many things regarding Termux will simply stop working. I then have to change the resolv.conf back. Sure, it done easily and an easy script also comes to mind.. 

A more permanent and better solution?

Termux however has Unbound already installed. I could just add dnsmasq to the mix and configure it to send DNS queries for my local lan domain to my Pi-holes. This way the the resolv.conf can be left untouched.

Something like this should do the trick..

server=/lan/192.168.0.x

Has anyone already done that?

Others have come to different solutions

There is https://www.zenz-solutions.de/personaldnsfilter-wp/ which servers as a DNS filter for Android. And apparently one can somehow hook into the DNS resolution process on Android. Okayyy... Wild.

Comments

"The IT Crowd" Android easter egg

Holy shit! Didn't know of that easter egg.

Have you ever entered the "new emergency number" from The IT Crowd into your Android caller app?

I advise you to do so now. No, you don't need to press the call button. You don't need to actually establish/make a call. Just enter the complete number, that is:

0118 999 881 999 119 725 3

Cooooooool! 😆 And it even worked with my LineageOS ROM. 😆
(Doesn't work on GrapheneOS phones from what I heard.)

Comments

What the G? Exploring the current state of Google Apps & Play alternatives for Android ROMs

Photo by Kyle Roxas: https://www.pexels.com/photo/crackers-cheese-and-fruits-2122278/

I use LineageOS on my OnePlus 8T. Sadly I still run it with Android 11 and LineageOS 18.1. Which is quite old in 2025. My plans to update the firmware and ROM got postponed again as non-surprisingly: I need my phone.

However one of the new year resolutions I choose is to finally update my mobile so I'm not lacking behind on Android security updates for several years. *ahem*

To de-google or to not de-google?

Along with this a long-standing idea surfaced again: I want to remove as many Google services as possible without having to give up needed tools/services.

Therefore, the first question regarding updating my mobile is: Do I still want to keep using the Google Apps? Or do I want to use another suite of alternative GApps that enhance privacy at the cost of some features? Or do I want to get rid of Google's apps altogether?

Depending on the choice, I can only use some (or all) Google Apps.

The rule of thumb is: The more functionality you need, the more you are paying with your data. The less privacy you have.

On a normal Android phone, the Google apps (YouTube, Maps, Wallet, etc.) are almost always pre-installed. Contrary custom ROMs often can't pre-install these, as a) Google doesn't allow this, and b) nowadays ROM developers know that users choose an alternative ROM to gain more control over their digital life and therefore explicitly want to disable some (or all) features related to Google's services and apps.

Alternative Google apps packages: The agony of choice

For this, several Google Apps packages exist. All vary in features and what they try to accomplish.

The big three in this field are:

MindTheGapps

Currently I am running LineageOS with MindTheGapps. Which is their current standard (LineageOS Wiki). MindTheGapps uses the proprietary Google services/packages. It just servers as an installer for the official Google packages. This means you can use the Google Play store, Google Maps, every method of authentication with Google Firebase (more relevant than you might think), and the SafetyNet (here is a good site with a presentation, whitepaper & lectures about SafetyNet - also known as DroidGuard) feature on which banking apps often rely. Among all other Google services.

Update: Turns out SafetyNet is deprecated and now "Play Integrity" is the new technology. Googles documentation is here: https://developer.android.com/google/play/integrity/overview?hl=en and here is a blogpost from the LineageOS team about why they will never circumvent this kind of security feature: https://www.lineageos.org/PlayIntegrity/ Update end.

The downside? Google happily leeching as much data from you as they do.
But helpful if you just want a custom ROM and no hassle with non-working apps.

MicroG

A viable alternative is MicroG. MicroG is, to quote the project itself, "A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries." This means MicroG is a redevelopment to match the functionality while keeping privacy-harming features out. This also means that privacy-focused ROMs like CalyxOS include them and allow users to choose if they want to activate them.

There is an overview about the implementation status of each feature in the MicroG apps: https://github.com/microg/GmsCore/wiki/Implementation-Status. And it also serves as a good example: In MicroG, two Firebase authentication methods are currently not supported. This means if an app you use only uses these two methods, you won't be able to sign in. It's generally advisable to check your important apps if they work with MicroG or not.

The neat thing is that MicroG uses signature spoofing to present itself as the Google apps. Additionally, the long-standing issue with allowing signature spoofing in LineageOS has been fixed recently. This means that if MicroG is installed via F-Droid and the app package is signed with the signature from the MicroG development team, LineageOS allows MicroG to spoof the signatures. Which eliminates many long-standing issues.

The neat thing is: This allows us to simply install MicroG via F-Droid and be done with it. No more incorporating the MicroG image during the flash process.

Information about their F-Droid repository can be found here: https://microg.org/fdroid.html

Please, only install MicroG from their own repository. Don't install it from the PlayStore or other GitHub repositories. It's common to find Malware posing as the official MicroG package. One such example is documented in this Reddit-Thread: https://www.reddit.com/r/MicroG/comments/1icxc8h/malware/

And here is an interview with the MicroG developer about how it all came to be: https://community.e.foundation/t/microg-what-you-need-to-know-a-conversation-with-its-developer-marvin-wissfeld/22700

OpenGApps

Honestly, I still did know this project from when I first flashed my phone. And it was the first project I had a looked after. But sadly it seems that development is currently very slow.

The last news post is from August 23, 2019.
Android 11 is the last supported OS version, according to their homepage.
The last update in their SourceForge repository happened on May 3rd, 2022. Stating that support for Android 11 is, for most variants, still in the testing phase. According to their GitHub issues, some support for Android 12 should be there, but I didn't dig deeper into this.

In this GitHub issue, it's stated that they currently suffer from a lack of supporters/maintainers and have problems with their build server infrastructure, etc.

Therefore, I didn't look any deeper into this. If you want: Here is a link about what package contains which features: https://github.com/opengapps/opengapps/wiki/Advanced-Features-and-Options

Google Play store alternatives

Now that we have decided which package we want to use, we probably want to quit using the Google Play Store. After all, the more Google apps we replace, the less we are dependent on their services running on our phone.

Luckily, there are two app store alternatives that solve all our problems together.

F-Droid

F-Droid is the most commonly used alternative app store. It focuses on OpenSource software, rebuilding the .apk packages from the official repositories. Undesired features such as tracking, ads, or proprietary code are listed on the apps' site. However, due to hosting all files themselves and having a focus on privacy and OpenSource they have their own inclusion policy, which apps need to fulfill in order to be added to F-Droid. Hence, many commercial apps simply can't be added as they either directly use Google's Play services or other proprietary software to build their app. Or the company simply doesn't agree to being hosted on F-Droid.

This has the direct result that many popular apps will & can never be available on F-Droid. Which leads us to...

Aurora OSS

Aurora OSS is another Google Play store alternative. One that is even usable with and without Google services or even MicroG. As Aurora is directly accessing the Google Play store you can download all apps, even the ones you paid for - as long as you log in with your Google account.

For the rest. I recommend reading their project description: https://gitlab.com/AuroraOSS/AuroraStore. The "nicer" looking URL is https://auroraoss.com/; however, this is just to forward you to their GitLab project.

There is however a report that a freshly created Google account that solely used Aurora got deleted after just two hours: https://www.reddit.com/r/degoogle/comments/13td3iq/google_account_deleted_after_2_hours_of_aurora/ and https://news.ycombinator.com/item?id=36098970

But then again, this was the only big reporting on that matter. So I can't really tell what will happen to accounts which are also used for YouTube. Or that have paid apps in the Play store connected to their account.

This discussion on Reddit provides a little bit of insight as to why this could happen to an account.

Conclusion

Aurora combined with F-Droid means we have a solution to get any and all apps we need.

And even if you plan on flashing your Android device or not. Both app stores can be used on any phone. Allowing you to test them out prior to making any fundamental changes to your phone.

Side note: Vanishing developers

While doing my research for this article, I spent some time in the XDA developers forum, on GitHub, GitLab instances, and even SourceForge. And I noticed a constantly reoccurring pattern: many of the developers simply stopped being present in the last few years. No new posts in the XDA Developers forum. No activity on GitHub, etc.

Now it's not uncommon for OpenSource projects to lose contributors or even main project developers. After all, people do have a job, a family, a life. And somehow they need to earn money. Nothing surprising about that.

But I additionally noticed that many seem to be male and of Russian nationality. Given the fact that the Russian attack on Ukraine started in February 2022 and many developers went silent in the last 2-3 years, I have a bad feeling that many of them were conscripted into the Russian army.

Let's just hope that I am wrong...

Comments