Unlocked bootloader, safe or not?

Looks like even oneplus lost the ability to relock the bootloader with custom singed keys at least with Android 12 firmware.
Considering pixel phones are not available everywhere does using a phone with custom roms like DivestOS or LineageOS with an unlocked bootloader worth the privacy gains over the security loses.

  1. What are the actual security issues of using a unlocked bootloader?
  2. I am aware its more vulnerable to physical attacks, how easy this one is?
  3. Does remote attacks are easier on these devices than a phone with locked bootloader?

Can somebody share some strong suggestions for below threat models.
Person 1 - Protection from corporations
Person 2 - Protection against targeted, non-government attacks.

Depends on the software your phone ships with and which custom ROM you consider using. An official Lineage build with MicroG is a lot better than what most vendors ship with. A custom ROM from someone you do not trust however can be catastrophic.

Not a lot as far as I’m aware. Someone with access to the device could install harmful software without wiping the device. A bit like leaving your laptop unsupervised with someone else. For most people the data harvesting and tracking from vendors is far more detrimental. Common thiefs do not have the know-how of how to take advantage of an unlocked bootloader. If you’re a potential target for government entities or corporate spying then I would leave the bootloader locked.

Not as far as I’m aware no.

  1. Lineage build with MicroG and replacing most of your applications with open source alternatives. This is the best option for most people as it has close to no downsides whilst increasing your privacy significantly.
    You can skip MicroG which is a bit better but it renders a lot of features and applications broken (e.g. banking applications do not work; push notifications are broken; in-app purchases are not possible).

Official Linage builds with MicroG pre-installed can be found here and for other custom ROMs you can find various iterations of MicroG with ease here.

  1. In person attacks? Get a phone from a privacy respecting vendor and leave your bootloader locked. Replace closed source applications with trusted open source alternatives and do not use old technologies like sms/mms; don’t click on links from untrusted sources; don’t leave your phone unsupervised. Hard to achieve this without losing privacy as Android phones ship with G services which cannot be disabled and no one knows what iOS does or who Apple provide access to.

Targeted attacks without physical access > do the #1 route above.

3 Likes

This is huge! As i had the same questioning if it’s safe to unlock my bootloader. Thanks!

Hello !
I am not a security expert but i can tell that unlocking bootloader will make your device unsafe. As Miu answered above , someone could install and boot a malicious software which could just give them full access to your device without needing to wipe your phone. And i am guessing it may be not very hard to do this or would require expert knowledge. On my previous phone i had put a custom rom with unlocked bootloader and actually its custom recovery allowed me to remove any password on the OS right from the recovery. Also there are chances that even if the recovery is password protected, unlocked bootloader could still allow flashing another recovery which could mess up with the system partition to hijacjk the data .It may even allow someone to carryout brute forcing attempts into the existing system.
By this time you could have guessed why Calyx or graphene developers only use devices that could be relocked. There was actually an interview with a graphene os developer where he explained about importance of verfied boot. You can listen to it to get an idea. Interview With A GrapheneOS Developer.
I think the threat would be mostly related to physical security and any remote threats would be as same as for a locked bootloader ones.
I don’t know how well password protected recoveries provide security ,and if the threat is from corporations or governments , then it would be really not advisable to unlock bootloader.
If you are only looking to get rid of google related services then there are debloater too like UAD (universla android deblaoter) or simply adb that can do the job.
Cheers !