1036
Google is silently blocking RCS messages on rooted Android phones and custom ROMs
(www.androidauthority.com)
This is a most excellent place for technology news and articles.
This is really it. Plus not everyone who roots (or, rather, everyone with a rooted phone) fully understands the security implications of running as root. I’d assume that since their implementation of end to end encryption must require a device-side key pair, and I’d wager that it’s pretty trivial to obtain private keys once you’ve obtained control of a rooted phone. For an adversary, this is a serious threat to the users privacy and security.
This is just one example. I’m sure it’s incredibly difficult to make a platform that you market as secure and private when your users have full control of the system that the application is running on. It’s a never ending cat and mouse game where the device user (whether “intended use” or not) has the upper-hand most of the time.
Not being a total Google apologist here though. They should have made it quite clear that they were blocking messages, and why. Not doing at least that, is inexcusable.
I'm a hardliner when it comes to user control of their own devices, so I'm not going to agree with Google's behavior here even if it, on average results in a benefit to users.
I don't think it provides a net benefit to users though. I think Google wants to be lazy about building spam-mitigation solutions, and wouldn't be sad if it results in fewer users blocking ads and tracking. If Google was positioning its RCS client as a hardcore security product, maybe it should warn both sides of the conversations that there's a risk of compromise, but even Signal, which is far more dedicated to security doesn't do that.
Zero-click exploits are a more common attack vector than modified operating systems in the real world, and I'd be willing to wager my up-to-date LineageOS install is less vulnerable to them than the average person's phone.
Do they not have the equivalent of TPM/Secure Enclave on Android phones?
Because if they don't have actually secure key stores, and require them for certification, that's on them.